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(54) A ganring software distribution network In a gaming system envlronmer«t 



(57) In one embodiment, a secure gaming system 
includes at least one gaming terminal and at least one 
gaming system server. The temiinal(s) and fiefver(s) 
communicate over a communication network. In one 
embodiment, a server forwards unapproved gaming 
software over the communication networic to a lab, 
where the lab is configured to test compliance of the un- 
approved gaming software with a plurality of regula- 
tions. The sender receives a notification of approval of 



the unapproved gaming software, where the notification 
of approval indicates compliance of the unapproved 
gaming software with the pluraiity of regulations. The 
server changes the status of the unapproved gaming 
software to form approved gamirsg software. When the 
server receives a request for a license to use the ap- 
provedgaming software, along with an indication of pay- 
ment forthe license, the server downloads the approved 
gaming software to the requestor. 
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Deiscription 

fQOOl] This invention is directed to secure gaming 
sysiem environments inciuding gaming devioes config- 
ured to provkJe reel slots, poker video siots, muitsple 
games, and progressive jaciqjots, and more particuSariy, 
to a gaming software distribution network In a gaming 
system environment 

[QOOS] Gaming ternrtinals providing games such as 
electronicaiiy driven games such as video s!ot, vidso 
poker, video blackjacl<, video keno, video bingo, video 
pachlnlco, vidso lottetv, and mechanicaliy driven ree! 
slotgamse, etc., are we!! known in the gamirsg industry. 
Also we!! known, is t!is fact that preventing eiieating and 
ensuri.ng fairpiay of the ga.mes ar e crucial to the garbing 
industry. As a result, within a gaming jurisdiction (i.e., a 
particuiar geographic area allowing gaming), a regula- 
tory body is tasked with regulating the games played In 
that gaming jurisdictian. In virtually all jurlsdk^ions, 
there are varied but stringent regulatory restrictions re- 
garding the gaming tennlnais and their associated 
games. Accordingly, a varied but rigorous approval 
process of new and modified gaming software is imple- 
mented by all gaming jurisdictions, in addition, steps to 
manually authenticate and verity the new and modified 
gaming software are typically required after the gaming 
terminals are delivered to a gaming proprietor, 
[0003] Currentiy, due io In part to gaming regulatory 
requirements and security concerns, games are provid- 
ed to t!ie individua! gaming tenninals via one or more 
erasabie progra.nrtniab!e read-only memories (EPROM) 
or electrteaiiy erasable PROI^s (EEPROM) pro- 
grammed with gaming software. If the gams Is provided 
by a manually installed EP.ROM, it can only be erased 
via uitravioSel l^ht. if the game is provided by a manu aliy 
instaiSed EEPROM, Is can only be erased via application 
of higher than nonnai eiecSrical voltage, Typicafiy, gam- 
ing terminals also include a number of EPROMs pro- 
grammed to execute basic input/output system (BIOS) 
functions, various game software programs such as 
slot, bingo, etc., operating system software, audio func- 
tions, dlagnosttes functions, and to determine gams play 
outcomes using random number genersdor (RNG) func- 
tions and paytables. 

[0004] Authenttoating the EPROM software requires 
manual removal of the EPROIM by a gaming commis- 
sion agent and/or a gaming proprietor. A Kobetron iVlT- 
2000 or similar diagnostic device is then used to execute 
an algorithm on the EPROM software. Execution of the 
algorithm produces an eiectronic signature that is com- 
pared to a previously approved and expected signature 
(caiculaled from the data content of a master EPROM 
approved by the gaming commission), If the eiectronic 
signatures match, the gaming software is deemed "aii- 
thentte* and no action is taken, if, however, the electron- 
ic signatures do not match, the gaming soft^.ware ia not 
authentic, tampering is suspected, the gaming terminal 
is taken out of service and an Investigation is conducted 



by the gaming commission, the gaming terminal owner, 
and/or the gaming temilnal provider. In some cases, 
tamper evident security tape is used to secure the 
EPROM to a main processor board of the gaming ter- 

5 minal to indicate tamperkig. 

[0005] fn order to ctxrsply with the varied reguiatory 
restrictions required by the different gaming jurisdic- 
tions, manufacturers of gamirsg terminals and associat- 
ed software, for axampie, WMS Gaming, inc., must ei- 
thar dsveiop one "larpe" software version of a particuiar 
game suitabio tor use in al! of the gaming jsirisdietions, 
or deveiop individual customized garriing software ver- 
sions of the particuiar game syitabie for use in corre- 
sponding individual gaming jurisdictions. Of course, 

'5 both approaches require additional memory resources 
and manpower. In addition, after each gaming terminal 
is delivened to the gaming proprietor, installation of any 
modifications or "patches" to the gaming software re- 
quire execution of a nnanual and time-consuming au- 

« thenticatlon process of all affected EPROMs by a gam- 
ing technician. 

{OQQBl Generally gaming terminals are configured to 
operate as "stand-alone" units.(that may or may not be 
coupled to a backroom computer) where the outcome 

25 of game play is "locally detemiined", or as part of a serv- 
er-based gaming network where the outcome of gam© 
play may be either locally determined or "centrally de- 
tennined". For example, a gaming terminal iocated in a 
bar, a convenience stons, a rivetboat, or an airplane, 

30 may c^srate as a stand-alone unit, while a gaming ter- 
minal iocated in a tradftlona! casino may operate as part 
of a server-based gaming netwoh? within the casino. 
fOOSTJ The server-based gaming networks typicaiiy 
include a number of gaming terminals, communicatively 

55 coupled via a dedicated (i.e., non-public) communica- 
tion network to one or more server(s). Because of their 
versatiiity, server-based gaming networks enable a 
gaming proprietor (e.g., Harrah's) to augment the tradi- 
tional "base" game play with enhanceme.nts such as 

40 community progressive games, community bonus 
games, tournaments, etc. Sender-based gaming net- 
work configurations also enable access to all types of 
gaming terminal data including gaming tenninsi per- 
formance data, player tracking data, accounting data, 

■fs security data, and maintenance data, to name a lew. 
P)0Q8] In cases where a gaming proprietor owns mul- 
tiple casinos dlstribyted over a large geographical area, 
individual casinos may be linked together via a large 
dedicated communication network, in addition, one or 

50 rnore servers in a individual casino may be communica- 
tively coupled via the dedicated communication network 
to one or more remote database servers, thereby ena- 
bling the gaming proprietor to gather gaming data and 
ope.'-ate and maintain the gaming network at one con- 

55 venient location. 

[0009] Although costly to insta!! and maintain, dedi- 
cated communication networks provMe a relatively se- 
cure network for transmission of gaming tenninal data 
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to the local or remote S8rver(s)- Ideally, gaming terminal 
data can be securely uploaded from the gaming termi- 
nals to one or more of the server(s) of the server-based 
gaining network using the dedicated gaming network. 
However, due to cun'ent gaming reguiaiory practlcss, 
gaming software generally cannot be downloaded from 
the set¥er(s) to the individual gaming lemiinals of the 
server-based gaming network described above, Addi- 
tionaliy, because of security concerns, direct communi- 
cation between indlviduai gamingtsnninate and remote- 
ly located servcre is generally precluded In most juris- 
dictions today. Therefore, operation of ti^e remote server 
is typioaliy limited to data colSection and associated re- 
port generation. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0010] 

FIG. 1 is a block diagram of an embodiment of a 
secure gaming system environment including gam- 
ing device and security elements in accordance 
with an embodiment of the invention; 
FiG. 2 is a block diagram of the electronk: compo- 
nents of the gaming devices and the security ele- 
ments of FIG, 1; 

FIG. 3A-3B is a flowchart of a security routine that 
may be performed by one or more of the security 
elements of FIG. 1 and FIGs. 4A and 4B; 
FiG, 3C is a flowchart of a certification authority in- 
itiaiization routine that may be perfomed by one or 
more of the security elements or gaming devices of 
FIQ.1 and FIGs, 4A and 4B; 
FiG. 3D 8 flowchart of a gaming devtcs key gen- 
eration and signing routine that may be performed 
by one or more of the security elements or gaming 
devices of FIG. 1 and FIGs. 4A and 4B; 
F!Gs. 3E-3G Is afkswchart of a digital certiffcate au- 
thentication routine that may be performed by one 
or more of the security elements or gaming devices 
of FIG,1 and FIGs. 4A and 4B; 
FIGs, 4A and 4B are block diagrams of an embod- 
iment of a detailed secure gamirvg system in accord- 
ance with an embodiment of the invention; 
FiG. 5 is a flowchart of an authentication routine that 
may be performed by the gaming devices of FtG. 1 
and FiOs. 4A and 48; 

FIG. 6 is a high levei flowchart of a gaming sofhvare 
approval and distribution routine that may be per- 
fomied by one or more gaming devices of FIG. 1 
and FIGs, 4A ar^d 4B; 

Fig. 7 is a perspective view of an embodiment of 

one of the gaming terminals shown schematically 

in Fig. 1 and FIGs. 4A and 4B; 

Fig, 8 is a flowchart of an erribodiment of a main 

routine that may be pertormed during operation of 

one or more of the gaming terminals; 

FIG, 9 is an exemplary visual display that may be 



displayed during performance of a slot routine; and 
FiG. 10 is a flowchart of an embodiment of the slot 
routine that may be performed by one or more of 
the gaming teiminais. 

5 

DETAILED DESCRIPTION OF "nHE ilMVENTION 

Eiii!BODIMENTS 

[0011} The description of the preferred examples 1$ to 
^0 be construed as exerripiary only and does not describe 
every possible embodiment of the invention. Numerous 
alternative embodiments could be imptemenied, usir\g 
either current technology or technology developed after 
the filing date of this patent, which would still fa!) within 
15 the scope of the claims defining the inventive subject 
matter 

[0012] Advances In network technologies (e.g., the 
Worid Wide Web, the Internet, satellite techndogy, cel- 
iulsu- technology, 802.11 technology, infrared technolo- 
gy, etc.) coupled with advances in available software ar- 
chitectures have provided a fertile ground for develop- 
ment of newgaming system environments: gaming sys- 
tem environments that may or nnay not include the lim- 
itations typically associated with dedicated communica- 

ss tion networks. 

[0013] New gaming system environments, not limited 
' wholly by dedicated communicatwn networks, may use 
public communication networks such as, for example, 
the Internet, and may therefore be vulnerable to unau- 

30 thorized manipulation from any access point within the 
gaming system environment via many different meth- 
ods. For example, unauthorized software, hardware, 
and/or flrrrtware manipulation of gaming device maybe 
aceompiished via public conwiunicatSon rsetwo* ac- 

33 cess (e.g., URL hacking, maniptiiatiori via packet insert- 
ing, packet sniffing, IP spoofing, DMS table goofing, de- 
nial-of-servic8 attacks, distributed denial-of-servtoe at- 
tacks, exploitable URLs and other application level at- 
tacks, etc.), via local area network access (e.g., manip- 

40 ulation via password snffling, DhiS table spoofing, com- 
mon gateway interference hacking, etc), or via gaming 
terminal orgaming sewer access (e.g., manipulation via 
a known-plaintext attack, a chosen-plaintext attack, 
stealing passwords, etc.]. The manipulation may be the 

•*s result of Intentional or unintentional Internal tampering 
(e.g., manipulation by a casino enployee), or It may be 
the result of external tampering (e.g., by an attacker in- 
troducing a computer virus, a computer worm, a Trojan 
horse, etc). Obviously, unauthorized manipulation of 

50 any gaming s^tem environment at any level wiil com- 
promise the gaming industry. 

[0014] in general, the present invention provides 
methods and apparatus for a secure gaming system en- 
vironment that may include a public comrrsunication net- 
ss work, a private dedicated commurtbation network, or a 
combination of both. The methods and apparatus are 
provided using a layered security approach that may 
substantially ensure data, software, firmware, and hard- 
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ware integrity of the gaming devices and associatsd pe- 
ripherals of the secure gaming system ersvironment. 
[8015} Specifically, the secure gaming system envi- 
ronment or FiG. 1 includes a one ormore secure gaming 
tsrminais coupled via a communlcatiorjs network to one 
or more secure gaming servers. Seg'ected ones of the 
secure gaming terminals may inciude one or more of the 
following; (1) a secure communication apparatus con- 
figured to provide access control at the network level to 
protect the gaming termirsai from attacks mounted re- 
motely via the communication network; (2) an access 
corstroi apparatus configured to provide access control 
at the gaming terminal level to protect the gaming ter- 
minal from attacks mounted via direct contact with the 
gaming terminal; and (3) an Integrity apparatus config- 
ured to provide access control at the network level and 
the gaming terminal ieve) to protect the gamingtenninal 
softvware and data from attacks mounted from any one 
of a number of locations. Similarly, selected ones of the 
secure gaming servers may indude one or more of the 
following: (1) a secure communication apparatus; (2) an 
access control apparatus; and {3} an integrity appara- 
tus. 

[0016] The components that may be incorporated in 
the gaming devices (i.e., the gaming termlrsais and/or 
the gaming servers) and the security elements (i.e., the 
integrity apparatus, the secure communication appara- 
tus, and/or the access control apparatus) of secure 
gaming system environment are illustrated in FIG .2. The 
components that may be incorporated in the gaming de- 
vices or security elements illustrated by FIG. 2 are con- 
figured to enatJle execution of a number of routiries (e, 
g„ software programs). 

[001 7| Flowcharts representing embodifr^ertts of rou- 
tines executed by the oomponeFits of the gaming devic- 
es and security elements are illustrated in FIGs, 3A, 3B, 
3C, 3D, 3E, 3F, 3G, 5 and 6. For example, FIGs. 3A-3B 
illustrates a security routine, FIG. 3C Illustrates a certi- 
fication authority Initialization routine, FIG. 3D illustrates 
a key generation and signing routine, and FIGs. 3E-3G 
IHuetrates an autiientication routine usingthe digital cer- 
tificates and key generated by the certification authority 
initialization routine and the key generation and signing 
routine of FIGs. 3C and 3D. 

[Q018J The mors detailed secure gaming system 
shown in FIGs. 4A and 4B incorporates a variety of net- 
worlts and systems, communicatively coupled, to form 
asecure gamingsystem. Some of the networks and sys- 
tems may be geographically remote from each other. 
For example, the detailed secure gamtrsg system may 
include one or more game provider data center net- 
works. The gams provider data center networi<s may be 
implemented regionaily and/or globally. The detailed se- 
cure gaming system also may inciude a customer cor- 
porate center coupled to oneormore individual custom- 
er networka. Each individual customer network may be 
located in one gaming establishment such as one casi- 
no or may be located in many gaming establishments 



such as a number of casinos, boats, etc. One or more 
Jurisdiction data centers also may be provided to per- 
fomi jurisdiction regulation and approval functions. In 
addition, each of the networks and systems of the de- 
5 tailed secure gaming system may incorporate one or 
more of secu.rlty elements discussed tn connection with 
F1G,1. 

[0019] FIG. 5 iiluslrates an authersttcatton routine that 
may be perfomied by one or more of the servers of the 

io jurisdiction data center illustrated in FIGs. 4A arfd 4B. 
Utifeation of the authentication routfrie enables local or 
remote authertticatiorA'erification of designated gaming 
software and/or data residing ir. any of the gaming de- 
vices of the detailed secure gaming system of FIGs. 4A 

IS and4B. 

[0020} Similarly, FIG. 6 Is an example embodiment of 
a gaming software approval and distribution routine that 
may be perfonned by the g^ing devices and security 
elements of FIGs. 4A and 4B, Specifically, FIG. 6 illus- 
trates the steps that may be executed by one or more 
servers of the game provider data center network when 
attempting to gain jurisdkSlonal approval of unapproved 
software priorto licensing and distribution to a customer. 
Both of the routines illustrated In FiG. 5 and FIG. 6 may 
ss utilize one or more of the security elements discussed 
in connection with FiG. 1 . 

[0021] Fig. 7 is an exemplary ganing temilnal that 
may be used in either the secure gaming system envi- 
ronment of FIG. 1 or the detailed secure gaming system 

30 of FIGs. 4A and 4B, An exempiary gaming rotitlne that 
may be perfomied by components (FIG. 2) of the exem- 
plary gaming tenninal of FiG. 7 is illustrated in FIG. 8. 
The e)<emplary gaming routine Includes a b^e game 
such as a skit game, a bingo game, etc., and a bonus 

3s game such as Monopoly. For esampla, an exemplary 
slot game that may be performed by the exempiary gats- 
ingtemiinal is iiiustrated in FIG 9 and an exemplary vis- 
ual display associated with the slot game Is iiiustrated 
in RG. 10. 

40 

I. THE SECURE GAMING SYSTEM NETWORK 

^022] PIG. 1 Is a bkick diagram of a secure gaming 
system environment 10 in accordance with an embodi- 

•is msnt of the invention. As used herein, the term "secure 
gaming system" is defined to Inciude ail manner of se- 
curirig a computer-based ga.mir!g system or network en- 
virortmer^i including utilizing, for example, secure hard- 
ware; perimeter defenses such as firewalls, anti-virus 

so software and anti-virus scanners (AV); two factor au- 
thentication (to gain access); authentication of gaming 
software befo.fe and after installation including "on de- 
mand" authentication; authentication, authorlzatio.n, 
and acxounting of the gaming sessions; data integrity 

ss assurance (DIA) of designated software files in the gam- 
ing devices of the secure gaming system environment 
10 including gaming devices at the network level, the 
server level and the gaming tenninal level; gaming soft- 
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ware vulnerirt>ility assessment (VA); network VA using 
network-based scanners and host-based scanners; se- 
curity information managemersl methods including se- 
curity policy implementaticsn, security teams (e.g., 
GSIRTs), security reports, Incident response, etc.; and 
proactive and reactive intrusion detection (ID) systems. 
[0023] Referrirsg to Fli3. 1 , the secure gaming system 
ersvironmen! 10 Includes one or more secure gamifsg 
terrT!!r^al(s) 12 arid one or more secure sereer(s) 14 in- 
terconnected via links 1 6 and 1 8, respectively, to a com- 
munications networi< 20. The communications network 
20 may be a public corrimunbations network, for exam- 
ple, the internet, or it may be a dedicated private net- 
work, for example, an intranet. 
[0024] A secure gaming tennninai 12 includes, in one 
embodiment, a gaming tenmlnal 22 and one or more of 
the following security elements: a first secure commu- 
nication apparatus 24 communicative coupled to the 
gaming temninal 22 and the communication network 20; 
a first integrity apparatus 26 communicatively coupled 
to the gaming tsrminai 22; and a first access control ap- 
paratus 25 communicatively coupled to the gaming ter- 
minal 22. Similarly, a secure gaming sereer 14 iridudes, 
in one embodiment, a garrsing server 28 and one or more 
of tiie foiiowSng secuiity elements: a second secure 
communication apparat us 30 communicatively coupled 
to the gaming setv8r28 and the commDnlcation network 
20; a second integrity apparatus 32 corr^municativeiy 
coupled to the gaming server 28; and a second access 
control apparatus 34 communicatively coupled to the 
gaming server 28. As used herein, the term "security 
elemenr refers to any of the first and second security 
cwnmunicatton apparatus 24, 30, the f!r$t and second 
access control apparatus 25, 34, and the first and sec- 
ond integrity apparatus 26, 32. in addition, the ^rst and 
second security communication apparatus 24, 30, th© 
first and second access control apparatus 25, 34, and 
the first and second Integrity apparatus 26, 32 may be 
Implemented as hardware, software, or a combination 
of both. 

[0025] Although FIG. 1 depicts one secure gaming 

terminal 12 and one secure server gaming server 14, 
the secure gaming system snvtronmer^t 10 may have 
any number of secure gaming terminals forming a group 
of secure gaming terminals. The group of secure gam- 
ing terminals may bs communicatively coupled to one 
or more secure gaming servers 1 4 to provide a gaming 
network. The gaming network may be interconnected 
via a number of suitable network data links or bus (dis- 
cussed In cor!n©;tior9 with FIGs. 4A and 4B), Moreover, 
one or more individual gaming networks may be iinl<ed 
together via e wide area network (WAN) or a local area 
network (LAN), depending on the desired configuration. 
[0026] Gaming envirorsment security may be ad- 
dressed in terms of prevention and/or detection of un- 
authorized actions by users of the secure gaming sys- 
tem network -10. The unauthorized actions may be the 
result of physical intrusions by a person 40, or software 



intrusions caused by the person 40. Thus, the first and 
second secure communication apparatus 24, 30, the 
first and second access control apparatus 25, 34, and 
the first and second integrity apparatus 26, 32 are con- 
s figured to provide multiple levels of access control to the 
secure gaming system environment 1 0, in one embod- 
iment, thereby preventing unauthorized actior^s by per- 
sor!(s) such as person 40. 

[0027] in one embodiment, the multiple levels of ac- 
*o oess control to the secure gaming systerti environment 
10 have three aspects: confidentiality, mtegrity, and 
availability. The confidentiality aspect prevents unau- 
thorized users (e.g., person 40) from accessing sensi- 
tive information via the gaming teirminal(6) 22 or the 
'5 gamingserver(s)2B,orevenviathecommunication net- 
work 20. The integrity aspect has two components, In 
one embodiment: data integrity, which ensures that data 
associated with the gaming tenTiinal(s) 20 and gaming 
server(s) 28 has not been deleted or altered by a person 
^ without permission; and software integrity which en- 
sures that the software programs residing in the gaming 
terminairs) 20 and gaming senfer(s) 28 have not been 
altered by error, a malicious user, or a virus. The avail- 
ability aspect erisures that a malicious user (e.g., an at- 
55 taciser) cannot prevent legitimate users (e.g., a casino 
technician) from having required access to the gaming 
tsrminal(s) 22 and gaming server(s) 28. 
[002S] Access control breaches, or security breach- 
es, may occur as a result of unintentionat system mis- 
30 configuration due to gaming software or data updates, 
unauthonzed access to any aspect of the gaming tenrsi- 
na!(s) 22 or the gaming server(s) 28 by an internal user 
(i.e., Interna! system misuse), or unauthorized ax^ess 
to any aspect of the gaming termlnal(s) 22 orthe gaming 
35 server(s) 28 by an outside attacker/hacker. Thus, as 
used herein, the term "access control" refers to limiting: 
(1 ) access to gaming terrriinai's or server's software and/ 
or data by a person; (2) access lo gaming terminal's or 
server's hardware, peripherals, database, memory, etc, 
40 by a person; (3) access to gaming terminal's or server's 
software by a computer program initiated by a user; and 
(4) access to gaming terminars or server's hardware, 
peripherals, dat^>ase, etc., by a computer program in- 
itiated by a user. 

la. Secure Communication Apparatus 

[QQ2§] The first and second secure oommunioation 
apparatus 24, 30, providing access control at a network 

so level, enables secure communication between and 
among the gaming devices (e.g., the gaming tsiminai 
(s) 22 and the gaming S8rver(s) 28). The first and sec- 
ond secure communication apparatus 24, 30 Include 
on© or more secure communication elements, including 

ss but not limited to those discussed herein, for providing 
network access control. For example, In one embodi- 
ment, the first and second secure communication appa- 
ratus 24, 30 include virtual private network (VPN) appll- 
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cation software, one or more firewalls, VPN tunneling 
protocols, and cryptographic methods/protocols such 
as encfvption/decryption protocols. Although Included 
in the frrst and second secure commu.filcation apparatus 
24, 30, it wlil be appreciated by those of ordinary skili in s 
the art that VPINS application software, VPIS! tunneling 
protocols, and cryptographic protocois nrsay aiso be in- 
cluded in the gaming teiTninal(s) 22, the gaming server 
(s) 28, or another ssciirlty element of the secure gaming 
system environment 10. io 

^(1). Application Software 

[0030] As previously mentioned, the communication 
network 20 may be a public communicattons network or is 
a dedicated private network. If the communication net- 
worl< 20 includes a public network (i.e., the internet), 
VPN application software may be utilized to provide a 
substantially secure VPH connection between and 
among the secure gaming termir!al(s) 12 and the secure so 
serv8r(s) 14. The secure VPN connection be 
viewed as a SKure oommunication "pips" passing 
through an unsecured public communication environ- 
ment. Use of a VPN connection (e.g., virtual private dial 
.networi<s, virtual private routed networks, virtuai leased ss 
lines, etc.) may partiaiiy or wholly reduce the need for 
costly dedicated communication networks (e.g., dedi- 
cated leased or owned private lines) between and/or 
among the various gaming devices of a gaming system. 

30 

8(2) VPN Tunneling Protocols 

10031] Secure access within the VPNs may be main- 
tained using one of any number of tunneling protocols. 
These tunneling protocols include cryptographic prolo- as 

cols such as IPsec, point-to-point tunneling protocol 
(PPTP), layer two tunneling protocol (L2TP), secure 
shell (SSH), proprietary protocols, etc. These tunneling 
protocols .may aiso include future internet protocois de- 
veioped under the auspices of the Interriet Engineering 
Task Fofse (!ETF) and others to encapsulate gaming 
software/data traversing the communication networic 
20. Fundamentaliy, tunneling protocois send packetized 
encrypted gaming data to and from the gaming terminal 
(s) 22 and gaming s6rv6r(s)2S through a "tunne!" that is ■is 
considered secure; the tunnel cannot be entered by data 
that is not property encrypted. In add'rtion to using VPN 
tunneling protocois, a niimber of other security meas- 
ures (discussed beiow) can be impl^ented to ensure 
the integrity of gaming data traversing the corr^nunic^- so 
tion network 20. 

[0032] The gaming data may include new or modified 
gaming software for game pl^, bonus game play, tour- 
nament play, progressive lottery game play, etc., on the 
gaming temfiinal(s) 22. The gaming data may also in- ss 
elude gaming terminal gama performance data, mainte- 
nance infom^tlon or Instructions, security data, main- 
tenance data, player data, accounting data, electronic 



fund transfer (EFT) data, wagering account transfer da- 
ta, game play information such as selection of game, 
bet, etc, eteclronic transfer of funds to/from secure 
server(s) 14, game outcomes (for systems having cen- 
tral determination), gaming device software (OS, pe- 
ripherals, eic.), etc. 

f0033] The communication rsetwori? 20 may aiso !n- 
Giiids one or more dedicated commursication network 
segments configured as an intranet. An fntrarist may be 
desirable if, foreKampie, a large gaming proprietor wish- 
es to link gaming devices within a casino or between 
two or more casinos. The Intranet may be configured to 
enable downloading of (software) games, game config- 
uration data, game outcomes, game play, etc, from the 
gaming server(8) 28 to the gaming temriinal(s) 22. and 
to enable uploading of marketing and operations data 
(I.e., security, accounttng, and configuration data) from 
the gaming lennfnals(s) 22 to the gaming server(s) 28. 
The gaming se.-verCs) 28 and the garrsing terminal{s) 22 
may be further interconnected via private leased phone 
lines, private mfcrowave or satellite links, dedicated 
hardwire, wireless links, etc. 

3(31 Firewalls 

[0Q34] Each of the firet and second secure communi- 
cation apparatus 24, 30, may include a firewall. As is 
known, firewalls operate much like a router, except that 
firewalls have additional functionality to protect the gam- 
ing devk«(s) 22 and the gaming sen«r(8) 26 from 'in- 
tnjder data packets'. Such intruder data packets may 
originate from a hacker's computer somewhere within 
the communication network 20. The hacker (e.g., per- 
son 40) may be attempting any number of types of at- 
tacks of the gaming system environment Including: URL 
hacking in the case of Internet gaming where the appli- 
cation layer is exploited via worms, viruses, Trojan hors- 
es, logic bombs, scumware, spyware; packet sniffing to 
steel user names end pass codes; iP spoofing where a 
data packet sent by the hacker and purporting to come 
from a trusted computer is accepted by a gaming server 
or terminal; DNS table spoofing where the domain name 
servkje routing tables are compromised; deniai-of-serv- 
fce attacks and distributed denial-of-service attacks 
where one or more gaming terminals or servers are 
crashed by data flooding: etc. 
[0035] At the simplest level, a firewall uses a consist- 
ent nile set (implemen^ng packet filtering) to test incom- 
ing network traffic, and then allows passage of network 
traffic (e.g., open systems interconnection (OSi) mode! 
data packets) that meets the rule set. Network trafTic that 
does not meet the njle set is dropped. More sophisticat- 
ed firewalls keep infomnation about the state the net- 
work and whet types of data packets are expected, rath- 
er than looking at individual packets (i.e., a dynamic 
packet filter or a "stateful inspection* where some pack- 
ets are intercepted at the network layer, and then data 
is extracted to perform OSi layer 4-7 inspections). In o*- 
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er words, a firewall included In the first secure commu- 
nication apparatus 24 provides a perimeter boundafy 
betweerj the gaming terminal 22 and the communication 
network 20. Simliariy, a firewai! Inciuded In the second 
secure communication apparatus 30 provides a perim- 
eter boiindary betv^een the gaming server 28 and the 
communication networ!^ 20 In addition, firewaiis includ- 
ed in the first and second secure communication appa- 
ratus 24, 30 may be configured differently or the same, 
depending on the sacurity threshoid required for ir^com- 
ing pacitets to the gaming terminal 22 and tiie gaming 
server 28, respectively. Firewaiis may also be installed 
directly In the gaming termina!(s) 22 and the gaming 
server(s) 2B or any of the security elements of the se- 
cure gaming system nstworic 10. 
[003$1 More than one firewall may lae used with the 
first secure communication apparatus 24. For example, 
two logical firewalls may be used to build a safety buffer 
zone around the gaming termlrtal(s) 22. The buffer zone 
(DMZ) may be used to isolate a Web server placed be- 
tween the secure gaming terminal(s) 22 and the com- 
munication networic 20 from the gaming lenxiinaKs) 22. 
One firewall may be used to protect the buffer 2one itself 
(i.e., placed between the Web server and the commu- 
nication network 20), while a second firewall is config- 
ured with more restrictions and placed interior to the first 
(i.e.. placed betwesn the Web server and the gaming 
terminal(s) 22). 

[0037] The firewaiis used in the secure gaming sys- 
tem environment 1 0 may be Implemented via traditional 
router-based firewaiis, software-based flrewafls using 
CPUs (i.e., for classic data and file processing), appli- 
cation specific integrated circuits (ASIC), and network 
processors (i.e., for continuous processing of packet 
strsarrs, instead of chunks of file/data preceded with 
discrete operations). The ^rewalls rmy also be impte- 
mented via programmabte network processors to in- 
spect OS I layer 7 packets at gigabit speeds, for exam- 
ple, the ES-1000 switeh available from Transtech Net- 
works, Inc. (Oakland, CA). In addition, the firewalls may 
be implemented using an adaptive computing integrat- 
ed circuit technology such as the adaptive computing 
integrated circuit available from Quicksilver Technology 
(San Jose, CA), 

af4j Cryptographic Methods/Protocols 

[0038] Each of thB first and second secure communi- 
cation apparatus 24, 30 may irjclude application of one 
or more cfyptographic rristhods to erssure integrity of 
gaming data transmitted via the communication network 
20. Such crvptographte methods applied by the first and 
second secure corrsmursication apparatus 24, 30 include 
(1) message authentication codes (MACs) (i.e., a ran- 
domly generated number appended to a digital mes- 
sage which has to be matched at the receiving end in 
order to authenticate the digital message) used to en- 
sure that the game software packets were not modified 



during transmission; (2) one-way hash algorithms for 
authentication such as secure liash algorithm (SHA- 
i-ssGurs hash algorithm) that serve as "digital finger- 
prints" (i.e., smali pieces of data lhat can serve to iden- 
tify much larger digital objects); (3) public-key cryptog- 
raphy (e.g., RSA-pubiic-key algorithm for both encryp- 
tion and authentication, EIQamal, and elliptical cutves); 
(4) digital signature schemes using public-private key- 
pairs (e.g.. RSA, digital signature aigorithm-DSA, EiGa- 
mai signatures); (5) symmetric encryption (e.g., Tri- 
pie-DES, AES, Algorithm X, etc.); (6) random number 
generators to generate random numbers for session 
keys end unique values used in v^ious protocols; (7) 
protocols using more than one of the alxjve-mentioned 
authentkation techniques; and so on. 
[0039] As will be appreciated by those of ordinary skill 
in the art, the first and second secure communication 
apparatus 24, 30 may be configured to include any com- 
bination of the VPN application software, firewalls, VPN 
tunneling protocols, and cryptographic methods dis- 
cussed above, to provide secure communication within 
the secure gamirsg system environment 10. Thus, the 
configuration of first and second secure communication 
apparatus 24, 30 may be different, or may be identical. 

lb. Aosess Control ^paratus 

[0040] The first access control apparatus 25 and the 
second access control apparatus 34 provide access 
control at the gaming device level. The first access cort- 
trol apparatus 25 prevents unauthorized access to the 
gaming terminal (s) 22 by a person 40. Similarly, thg sec- 
ond access control apparatus 34 prevents unauthorised 
access to the gaming sfflver(s) 28 by th© person 40, 
[0041] The first and second control apparatus 25, 34 
include one or moie acce^ control elements, including 
but not limited to those discussed herein, for providing 
access control at the gaming device level. For example, 
in one errrisodlment, the first and second control appa- 
ratus 25, 34 include methods/protocols for authenticat- 
ing a person and authenttoating software attempting ac- 
cess to any aspect of the gaming termirwil(s) 12 or the 
gaming server(s) 1 4. The first and second control appa- 
ratus 25, 34 also include authorization and accounting 
methods/protocols, 

b(i). Authentication, Authorization, Accounting 

[0042] Methods to control access at the gaming de- 
vice level (e.g., the gaming terminal 22 and the gaming 
server 28) may not be elective unless and until identi- 
fication and authentication of the person 40 (or compu- 
ter program initiated by the person 40) attempting ac- 
cess is properly completed. One or more methods/pro- 
tocols for siuthenticating a person accessing software, 
peripherals, memory, etc, of the gaming terminals) and 
server(s) of the secure gaming system environment 10 
nr>ay be included In the first and second access control 
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apparatus 25, 34. These meahods/protocols include, but 
are not Ifmitsd to, (1) requiring the use of usemames 
and passwords (or hashed passwords), (2) requiring 
use of a biometric idsntifier (e.g., handwriting, voice- 
prints, face recognition, fingerprints, hand geometry, 
typing patterns, retinal scans, iris scans, signature ge- 
ometry, etc), (3) requiring use of access tokens (e.g., a 
token is inserted in a s!ot in the gaming termir!al(s) or 
serverjs)), (4) requiring a user to enter a time-based 
number (e.g., Secur!Dauthenticatortol<en) on a keypad 
of the gaming tennfna!, (5) gaming device specific fire- 
walls, or (6) monitoring a time the user gains access to 
software, peripherals, memory, etc, of the gaming ter- 
mina!(s) 22 and server{s) 28 and, based on that time, 
deter.Tiining If the access is/was appropriate, in addition 
to those listed above, combinations of methods/proto- 
cofs may be also be used by the first and second access 
control apparatus 25, 34 (e.g., performing a SHA-1 hash 
of a digital representation of a fingerprint). 
[0043] For example, the SecurlD is a token-based 
two-factor user authentieatio.n techrtoiogy developed by 
RS.A to take adwantage of tiie Industry standard AES 
algorithm. Used in conjunction with an RSA gaming 
server (configured as an RSA ACE/Server and a Policy 
Server), the SecurlD functions ilks an ATM card for the 
secure gaming networ!< environment 10. The SscurlD 
requires a user (i.e., a c^ino attendant) to identify him- 
self with two unique factors (i.e., something he knows 
and something he has) before he is granted access to 
any of the gaming devices or peripherals of the secure 
gaming network environment 10. Each SecuriD has a 
unique symmetric key that is combined with a powerful 
algorithm to generate a new code, or number every 60 
seconds. The user than combines this number with a 
secret PiN to fog into gaming device (i.e., the gaming 
terminal or the server) . Oniy the RSA gaming server, uti- 
lizing RSA ACBServer software, (inows which number 
is valid at that moment in timeforthat user/SecurlD com- 
bination, 

[00441 The RSA gaming server may be addltionaSSy 
configured with policy information that permits a user to 
access the gaming devices or commiinication network 
during specified hours, in addition, some users (casino 
employees) may be given greater access rights than 
others. For ex^pls, a casino attendant may be re- 
quired to use a special attendant key to gain access to 
an Administrator screen. The Administrator screen may 
then require the casino attendant to enter ^e u-sername 
and SeairlD passcode prior to gaining physical access 
to a gaming device. Thus, before the casino attendant 
is permitted entry to open a garrsing terminal door or to 
change any configuration in the gaming terminal, etc., 
he/she must be authenticated using the issued SecurlD 
token. Upon authentication, the gaming terminal will 
communicate with the RSA gaming server, utilizing RSA 
ACE/Server software (i.e., the Policy Server) before al- 
lowing the attendant to proceed with opening the main 
door, emptying the bill acceptor, etc. In this way two- 



factor authentication using the SecurlD provide restrict- 
ed physical access to the gaming devices of the secure 
gaming system environment 1 0 
[0045] In addition to access control, these methods/ 
s proioGois may also be used to determine ar. authoriza- 
tion level or access level of a person property accessing 
the gaming terminia!(s) orserver(s), For example, an ac- 
cess token in conjunction with a passcode may aiiow a 
casino technician to gain access to a coin hopper in the 
f 0 gaming tsrrriinal 22, but not to the gaming terminal soft- 
ware. As will be appreciated by those of ordinary skill in 
the art, overall administration of authsntlcatton and au- 
thorization methods/protocols may also be performed 
by any gaming device of the secure gaming system net- 
's work 10. 

[00481 As will also be af^reciatad by those of ordinary 
ski!! In the art, the first and second secure access control 
apparatus 25, 34 may faecorsfigured to include any com- 
bination of the authentication, authorization, and ao- 
-^e counting methods discussed above, thereby providing 
secure access to the gaming devices of the secure gam- 
ing system er>vironment 10. Thus, the configuration of 
the first and second secure access contro! ^paratus 
25, 34 may be different, or may be identical, 

25 

Ic. integrfty Apparatus 

[0Q47J Ths first asid second integrity apparatus 26. 32 
provide access control at both the gaming devk» level 

30 and network level, and ensure integrity of the gaming 
software and gaming data within the gaming devices of 
the secure gaming system network 10. Each of the firet 
and second Int^rlty apparatus 26, 32 may Include one 
or more Integrity elements. The integrity elements may 

35 irtclude antwira! software, antiviral scanners, an intru- 
sion detection system, a data integrity system or meth- 
ods, incident response methods/protocols to assess 
damage and restore systems, security information man- 
agement protocols (including seciHity response teams), 

*o vulnerabiiityassessmentmethods/protocols, andoneor 
more authentteation methods/protocols (cryptographk; 
methods) discussed above. 

c^fy Authenticating Received or Residing Gaming 

4S Software/Data 

[0048] Methods provided by the first and second In- 
tegrity apparatus 26, 32 for ensuring integrity, authenti- 
cation, and non-repudiation of gaming software pro- 
se grams attempting access to the gaming devices of the 
secure gaming system environment 1 0 may include us- 
ing one or more of the individual authentication proto- 
cols discussed in connection with the first and second 
secure communicatton apparatus 24, 30, for example, 
5S MACS, one-way hash algorithms, public-key cryptogra- 
phy, digital signature schemes{e.g., code signing), sym- 
metric encryption, session keys (i.e., a key that is used 
for only one communication session between the gam- 
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ing devices), and random number generators. Similariy, 
in addition to proving oonfidentiaiity, the methods pro- 
vided by the first and second integrity apparatus 26, 32 
for ensuring integrity, authentication, and non-repudia- 
tion of computer programs residing in the gaming devic- 
es of the secure gaming system rsetwori^ 1 0 may incitide 
using one or more of the individuai authentication pro- 
tocols discussed above. For example, authentication 
protocols provided by the first and second Integrity ap- 
paratus 26, 32 maybe used prevent known-plaintext at- 
tacks (i.e., attempts by an attaciter to recover the en- 
cryption key when Ihe attacker has a copy of the plain- 
text and the cipher tsxl) and chosen-plaintext attacks (i. 
e., attempts by an attacker to recoverthe encryption l<ey 
when the attacksr chooses the message to be encrypt- 
ed) against gaming software or data installed in the 
gaming devices. 

0(2,. Antivirus Software and Scanners 

[0049] Corrtrolling access to the gaming devices of 
the secure gaming syst^ environment 10 by the first 
and second integrity a^ratus 26, 32 also include pre- 
venting maiicious software from accessing the gaming 
terminals and associated gaming software, Maiioious 
software as defined herein includes a!! manner of "ma!- 
ware" inclutilrsg viruses that may be a file infector virus, 
a boot-sector Infector virus, and a macro virus that infect 
gaming data, Trojan horses (e.g., piece{s) of malware 
deliberately embedded In a "normal" piece of software 
to modify existing software in favor of the attacker), and 
worms (e.g., self replicating progra'n(s) that con-uptand 
crash computers). Preventing malicious softwfare from 
gaining access to the gaming devices of the secure 
gaming system environment 10 can be achieved using 
antivirus software oranfiviniS scanners included In the 
first and second integtft^ apparatus 26, 32. Typical an- 
tivirus software and'or scanners scan gaming software/ 
data looking for viral code based on a database of virus 
footprints. When the viral code Is detested, antivirus 
software and/or scanners disinfect the gaming software/ 
data by removing the viral coda. For unknown viruses, 
polymorphic viruses (which mutate with every infection), 
and encrypted viruses, antivirus programs that look for 
suspicious virus-like behavior can be utilized. 
[OGSO] Additional security measures provided by the 
first and second integrity apparatus 26, 32 may be re- 
quired If the gaming terminals of the secure gaming sys- 
tsm environment are configured to accommodate mo- 
bi!e code such as JavaScript, Java, ActiveX, to allow on- 
line gaming, or to participate in sophisticated tourna- 
ment gaming. Currently, Java is the only programming 
language specifically designed wth security in mind. 
Java programs (e.g., applets) run within a "sandbox" 
that limits damage that may be caused by malicious soft- 
ware. Three mechanisms protect the sandbox: a byte 
cods verifier (to ensure correct byte code format), a 
class loader (to detemilne how and when an applet can 



add itself to the Java environment), and a security man- 
ager (to be consulted whenevw the applet attempts to 
do something queslionabi© like opening a file, opening 
a network connection, etc.) 

s 

0(3). Intrusion Detection System and Method 

[00S1 1 intrusion detection method.9 and data iniegrity 
methods provided by the first and second integrity ap- 
se paratus 26, 32 may be impiemented at the gaming ter- 
minal level or at the network level. Unlike perimeter de- 
fe nses that seal-off outside access to the secure gamir^ 
system environment 10, intrusion detection and data In- 
tegrity methods provide assurance of the Intsgnty of 
IS core assets (I.e., gaming software and data) within the 
secure gaming system environment 10. For example, 
intrusion detection software available from internet Se- 
curity Systems, Inc. (Atlanta. Georgia) can be installed 
in the gaming devices to detect intrusive network pack- 
^ ets in the secure gaming system environment 1 0, Op- 
erating much like antivirus software or antivirus scan- 
ners, one class of iRtruslon detection methods may pro- 
vide "misuse detection" of intrusive network packets that 
have gained entry Into the secure gaming system envi- 
es ronment 10, Thai is, they scan packets looking for bit 
strings that signify known attacks. Another class of in- 
trusion detection methods utilizes statisticalmodeiing of 
expected gaming lermina!(s) and ser¥er{s) behavior to 
detect intrusive networic packets. This modeling in- 
30 eludes detenT5ining "normal" operation of the gaming 
devices of the secure gaming system environment 10, 
and, then using that model, determining anomalous be- 
havior Indicating an attack or Intrusion, In either case. If 
an Intrusion is detected, appropriate steps are taken. 
3S Such appropriate steps may include one or more of the 
following; disabling the affected gaming dewces in afail- 
safe fashion (i.e., preventing a value payout), automat- 
fc;ally generating a security alarm at an appropriate lo- 
cation, automatically generating an inddent report that 
*o includes details of the intrusion, dispatching a security 
team, performing a post-mortem analysis of the Intru- 
sion that may Inciude modification to current security 
measures, etc. Of course, impiementing intrusion detec- 
tion methods provided by the first and second Integrity 
45 apparatus 26, 32 includes preventing false alarms by 
ensuring proper and current hardware and software 
configurations of the gaming devices of the secure gam- 
ing system environment 10. 

|00521 intruston detection systems/methods do not, 
so however, fully indicate how gaming data/software was 
compromised within gaming devices of the secure garb- 
ing system environment 1 0. Further, iritnision detection 
system&'methods do not know or provide a pre-attack 
configuration of the gaming software/data that would as- 
ss sist in a pom-mortem analysis of the attack. Moreover, 
although providing after-the-fact detection of external 
attacks, intruskin detection systems do not look, nor pro- 
vide, after-the-fact detection of internal attacks (I.e., a 
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malicious attack or Innocent secu rity breach by a casino 
employee). Data integrity systems and methods may 
therefore be used to augment Intrusion detection. 

c^4). Data integrity System and Method 

[3Q53J Data Integrity systems and methods provided 
by the first and second integrity apparatus 26, 32 may 
be employed to detect threats or attacks to the gaming 
devices of the secure gmsing system erivirorsment 1 0. 
For example, data Integrfty assurance software availa- 
ble from Tripwire Inc., (Portland, Oregon) can be in- 
stalled in the gamir^ devicee of the secure gaming sys- 
tem environment 10 to monitor gaming data and soft- 
ware for any deviations from an expected baseline. The 
data integrity assurance software may detect internal or 
external aSacks, and therefore provides an additional 
layer of security. 

[0Di4] Generally, data integrity systems provided by 
the first and second Integrity apparatus 26, 32 provide 
a tool for assuring the integrity of critical or monitored 
items (i. e. , ganing OS files) identified in the secure gam- 
ing system network 1 0, Such data Integrity systems con- 
tinually check to see what monitored files have changed, 
and if change is detected, to atrtomaticaSiy ssoSate the 
problem, gather "forensic" data associated with the 
problem Including providing a snapshot of the system at 
the time of the change , and enable repai r of the problem 
with minimal downtime. 

[0055] Impiementing a data integrity system in the se- 
cure gaming system environment 10 is a multi-step 
process. Once installed in the first and second integnty 
apparatus 26, 32, the data integrity system creates a 
database of selected fiies (I.e., critical system files, di- 
rectories, registry objects, system exeeajtabfes, data- 
bases, user ^plication programs such as gaming soft- 
ware) in a known configuration that represents a desired 
good state, or baseline, of the secure ^^ning system 
environment 1 0. The selected files may be based on 
predetermined criteria seiected by a gaming system ad- 
ministrator. Alternatively, the selected files may be pre- 
determined, depending on Jurisdictional regulations, 
etc. Subsequently, the data integrity system provides in- 
formation on any deviations from the baseline tay com- 
paring an existing state to the baseline. The deviations 
may include additions, deietions, or modifications of the 
selected flies. Any changes outside of specific pre-se- 
lecled boundaries are detected, reported, etc, if the 
change is determined to be a valid change, the gaming 
system administratorcan acx^ptthe change and update 
the baseiine with ttie new information, if the change is 
not valid, remedial action described above can be taken 
to return the secure gaming system environment 1 0 to 
a desired state. 

[0056] A changed file can be detected in a number of 
ways by the data integrity system. For instance, a 
changed file nnay be detected by comparing a file's Inode 
infomnation (i.e., structure which stores meta infomia- 



tion about a file: size, owner, access and modification 
times, etc.) against values stored In the previously gen- 
erated baseline. A changed liie may also be detected 
by comparing several signatures of the file (e.g., hash 

s digests or checksum values) caleuiated in such a way 
that it is Gomputalionaiiy Infeasibleto invert, in that case, 
the data integrity system can be corrfigured to scan us- 
mg cryptographic signatures of file content in addition 
to scanning for file name changes. The data integrity 
system can also scan for known malicious files, in ad- 
dition, the data integrity system can be configured to 
scan flies that have been copied or downloaded to the 
ga.ming tsrminai(s) and server(s) to ensure that no 
change occurred during the transfer Any number of cri- 

is teria or combinations of criteria may be selected for de- 
tecting changes to files. 

[0057] Changes outside of the specific pre-selected 
boundaries may be due to simple gaming software in- 
stallation errors, Inadvertent corruption of vital gaming 
30 system data, malicious software such as virus' or Trojan 
horses that managed to get through perimeter defens- 
es, direct tampering with the gaming terminaKs) or serv- 
er's) by a game player or gaming employee, an author- 
ized user violating gaming policy or controls, etc. There- 
sa fore, by recognising any "driff from the baseiine and ad- 
dressing It immediately, the data Integrity system of the 
first and second integrity apparatus 26, 32 can assure 
the integrity of monitored items within the secure gaming 
system environment 10. 

30 

c^gj. Vulnerability Assessment Scanners 

[0058] vulnerability assessnrrent scanners provided 
by the firet and second int^rity apparatus 26, 32 may 
ss be employed to detemiine vuinerHbiliiies in the secure 
gaming system network 10. Vulnerability scanners are 
software tools that are configured to pmtect the secure 
gaming system network 10 against non-predictable at- 
tacks, They check setting of the gaming devices and 
^0 ddtermine whether the settings are consistent with a 
prs-sslectsd gaming seoufity policy. They identify 
"holes" or vulnerabilities in the secure gaming system 
environment 10 that could be exploited by an attacker. 
Thus, vulnerability assessment scanners provided by 
45 the first and second integrity apparatus 26, 32 simulate 
the behavior o! an attac*er to identify vulnerabilities in 
the securg ^ming system environment 1 0, thereby en- 
abL-ng proactive security measures to be taken. 



[pOS9] Incident response methods/protocols that as- 
sess damage and restore affected devices of the secure 
gaming system environment 10 are provided by the first 
S9 and second integrity apparatus 26, 32. Such incident re- 
sponse methods/pnstocols nnay empby known security 
Information management techniques ormay employ se- 
curity information management techniques taltored for 
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the gaming environment. 

10060] For example, upon notification by the data In- 
tegrity system of the first and second integrity apparatus 
26, 32, an irscldenl response team o* people may re- 
spond to a non-valid change in a monitored fiie by (1) 
gathering ttie forensic data (audit togs) associated witr? 
the breach, eitiier manually or aistomatleally, and, if re- 
quired, (25 ensiiring safe faiiure <fai!-safe) or shut-down 
of the affected gaming device, either automaticaiiy or 
rTsanually. 

[Q061] in the ease of the secure gaming terrr.inai 12, 
detection of corrupt data (I.e., a non-valid change) in a 
system RAM by the first iritsgrity apparatus 26 may re- 
sult in automatic suspension of operation of the gaming 
terminal 22. Similariy, detection of corrupt data on a stor- 
age medium by the first integrity apparatus 26 may re- 
suit in automatic suspension of operation of gaming ter- 
minal 22. Audit logs, automatically generated to provide 
data regarding the d^ected non-valid change, my be 
generated by the gaming terminal 22. the integrity ap- 
paratus 26, one or more servers such as the secure 
gaming sertfer 14, or any other suitable device within 
the secure gaming system environment 10. Concurrent- 
ly, notification of the detected non-vaild change to an 
appropriate casino employee or other suitable person 
may be accorrsplished in any one of a nmber of ways. 
For example, notification can occur via a visua! notifica- 
tion by the gaming terminal, a wireless (e.g., a pager) 
or wlretine communication, etc. from the integrity appa- 
ratus 26, the gaming termina! 22 or a sen/sr coupled to 
the gaming tsmiina! 22. 

[0062] UpQR notification of the detected non-va!id 
change, the casino employee may be dispatched to the 
secure gaming termina! 12. A number of manual diag- 
nostic and repair steps may be performed by the casino 
employee (e.g., the casino employee initiates a gaming 
temiinai power cycle and subsequent execution of locai 
authentication routines). A number of automatic diag- 
nostic and repair steps may also be perfomied by the 
integrity appanatus 26, the gaming tem^inal 22 or a serv- 
er coupled to the gaming terminal 22. In addition, if It is 
determined that a new part Is needed to repair the gam- 
ing temninal 22, notfficatlon of the need for the new part 
may be made manuaiiy by the casino employee, or may 
bs made automatically by the integrity apparatus 26 , the 
gaming terminal 22 or a server coupled to the gaming 
terminal 22. The notification may be received by an ap- 
propriate "parts deparlmenf via a wireless or wireline 
commursication provided by the comnriunication networit 
10. 

[0663] Approval of the repair may be required prior to 
allowing the secure gaming tsmiinal 12 to be released 
for play. The approval may be authorized in any one of 
a number of ways, defending on the eonfiguratbn of the 
secure gaming system environment. For example, the 
approval may come from a casino employee at the lo- 
cation of the secure gaming terminal 12. The approval 
may also come from a person within the secure gaming 



system environmerst 10, but remotely located from the 
secure gaming terminal 1 2, for example, trorti a jurisdic- 
tional regulator. Approval from a person othert.^ian a ca- 
sino employee may be required for recovery actions in- 
cluding changing percentages, denominations, orclear- 
ing meter data in the gaming terminal 22, 
[0064] In the case of the secure gaming server 1 4, de- 
tection of a non-vaiid change by the second integrity ap- 
paratus 32 may result In isolation of the gaming server 
28 from the secure gaming system environment 1 0. Op- 
eration of any gaming terminals coupled to the secure 
gaming server 14 wii! continue unimpeded, however, 
some of the functionality provided by the server to those 
gaming tenrrnals may be adversely affected for a short 
period of time (e.g., electronic fund transfers, ticket ac- 
ceptance, and ticket printing). Therefore, if possible, the 
functions performed by the garring server 28 may be 
seamlessly transfenred to another, redundant server in 
the secure gaming system environment 10 as soon as 
the sesKjnd int^rr^ apparatus 32 detects ttse non-valid 
change. 

[0065] Much like the gaming terminal scenario de- 
scribed in the above, notification of the detected non- 
valid change to an appropriate casino employee or other 
suitable person may be aceompiished in any one of a 
number of ways. Similarly, as described above, a 
number of manuai, automatic, or combination of both 
diagnostic and repair steps may be perforrried, and ap- 
proval of subsequent repairs to the gaming server 28 
may be required before placing the gaming server 14 
back into service. 

[0Q8S] in the case of a communication failure between 
or among the secure gaming terminai(s)12 and the se- 
cure gaming server(s) 14, means of notification of the 
faiiure and subsequent repair of the failure may vary de- 
pending on the type of communication failure. For ex- 
ample, if the communication failure resulted from an in- 
advertently detached cable coupling a gaming temfiinal 
to a gaming server, notification of the failure using the 
methods discussed above may insult In manual re-at- 
tachment of the cable, if required, the functions per- 
formed by the gaming server may be seamlessly trans- 
ferred to another, redundant server In the secure gaming 
system environment 10 as soon as the second integrfty 
apparatus 32 detects the communication faiiure. 
[0067] Fig. 2 is a bloci? diagram of a number of com- 
ponents that may be incorporated in selected ones of 
the gaming devices and security elements of FIG 1 . Re- 
ferringto Fig, 2, each of the gaming devices and security 
elements may irKilude a controller 200 that may com- 
prise a program memory 202, s microcontroyer or mi- 
croprocessor (MP) 204, a random-access memory 
(RAM) 206, and an input/output (I/O) circuit 208, all of 
which may be interconnected via a communications link 
or an address/data bus 210. It should be appreciated 
that although only one microprocessor 204 is shown, the 
controller 200 may Include multiple microprocessors 
204. For example, the controlier 200 may include one 
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microprocessor for fow level gaming functions and an- 
other processor for higher !eve! gams functions such as 
somecomrrsuriteations, security, maintenance, etc. Sim- 
ilariy, the memory of the controller 200 may IncFude mul- 
tiple RAMs 206 and multiple program memories 202, 
dependfng on the requirements of the gaming device. 
Afthough the I/O circuit 208 Is shown as a singie block, 
it shouid be appreciated that the i/O drourt 208 may in- 
clude a number of different types of I/O drouSts. The 
RAM(s) 206 and program memories 202 may be imple- 
mented as semiconductor memories, magnetically 
readabie rnemories, end/or optically readable memo- 
ries, etc. 

[0068] Fig. 2 illustrates that multiple peripheral ti&vh- 
es depicted as peripheral devices 211 , 212, and 214 
may be opsrativeiy coupled to the i/O circuit 208. Each 
of the p&ripherai devices 211,212,214 is couplsd to the 
!/0 circuit 208 by either a unidirectionai or bidirectional, 
single-iine or miiltipSe-line data link, depending on the 
design of the component that Is used. In addition, the 
peripheral devices 211 , 212, 214 may be connected to 
the I/O circiirt 208 via a respective dtrect line or condiic- 
tor. Different connection schemes, including wireless 
connections, could be used. For example, one or more 
of the peripheral devices 211, 212,214 shown in Fig. 2 
may be connected to the I/O circuit 208 via a common 
bus or other data link that is shared by a number of com- 
ponents, FurthemTore, some of the components may be 
directly connected to the micni^rocessor 204 without 
passing through the I/O circuit 208. Although three pe- 
ripheral devices are depicted In FIG. 2, more or less pe- 
rtpheral devices may be included in FIG, 2. 
[0069} A variety of different peripheral devices may be 
utilized in the different gaming devices and different se- 
curity elements of the secure gaming system environ- 
merit 10, For example, if the gaming device is a gaming 
server 28, the perlphera! devices may include a key- 
board, a graphics! Interface unit (GUI) display, a number 
of communicalion ports, a monitor, a printer, a modem, 
a tape drive, a DVD drive, a CD drive, etc. if the gaming 
device is a gaming terminal 22, the peripheral devices 
may include a control panel with buttons, a coin accep- 
tor, a note acceptor, a card reader, a number of electro- 
mechanical reels, a keypad, a sound circuit driving 
speakers, a card reader display, a video display etc, op- 
srativeiy coupled to the I/O circuit 208, either by a uni- 
directional or bidirectional, single-iine or multiple-line 
data link or wireless link, depending on the design of the 
component that is used. If the security element is an in- 
tegrity apparatus 26, 32, the peripheral devtess may in- 
clude a monitor, a printer, a keyboard, etc, to enable 
gaming security personnel to access data associated 
with a access control breach identified by the data in- 
tegrity system. 

[0070] Further, the corrtrollers of the gaming devices 
and the security elements may be operatlvely coupled 
to each other in any number of suitable configurations, 
intenconnscted as discussed above. 



[0071 ] One manner in which one or more of the gam- 
ing devices and security elements of thesecura gaming 
system envlronmer>t 1 0 may operate Is described befow 
in connection with a number of flowcharts which repre- 

s sent a number of pofttons or routines of one or more 
compiiter programs, t*(at may be stored in one or more 
of the memories of the controller BQO.The computer pro- 
gram's) or portions thsreofmay be stored remotefy, out- 
side of the gaming devices or security siements, and 

10 may control the operation from a remote location. Such 
remote control may be facilitated with the use of a wire- 
less connection or by an Intern ot interface that connects 
the gaming devices with a remote computer having a 
memory in which the conrputsr program portions are 

'5 stored. The computer program portions may be written 
in any high level language such as C, C++, C#, JAVA or 
the like or any low-isvsi, assembly or machine lan- 
guage. By storing the computer program portions there- 
in, various portions of the memories 202, 206 are phys- 
^ ically and/or structuraiiy configured in accordance with 
computer program instructions. 

ii. ROUTINES PERFORMED BY GAMING DEVICES 
Am SECURITY ELEMENTS 

23 

ila. Security Routme 

{tM172] FIG. 3A-3B is a flowchart of an.embodiment of 
a security routine that may be performed by one or more 

30 of the security elements of FIG. 1 . The security routine 
300 provides one example of controlling software pack- 
et access to the gaming devices of the secure gaming 
system environment 10. The security routine 300 may 
be stored In one or mora of the memones of the control- 

3S ler 200. in the iifustrated example, network level access 
control provided by the communication apparatus -24, 
30 is discussed in connection with FIG, 3A, while net- 
work and gaming device access control provided by the 
integrity apparatus 26, 32 is discussed in connection 

40 with FIG, 3B. As will be af^rectated by those of ordinary 
skill in the art, the access control methods/elements {©. 
g., firewalls, VPN tunneling protocols, cryptography, 
etc) of the communication apparatus 24, 30 and the in- 
tegrity apparatus 26. 32 discussed in connection with 

■*s PiGs. 3A-3B may be provided by other apparatus within 
the secure gaming system environrrsent 10, 
[0073] Referring to FIG. 3A, the security routine 300 
begins operation when a software data packet attempt- 
ing access to Sie secure gaming terminai(s)12 and/or 

^ the secure gaming server(s) 1 4 via the communication 
network 20 is received by a firewall of the communica- 
tion apparatus 24, 30 {b!od< 302). The firewall, which 
may be implemented using one of the methods dis- 
cussed in connection with FIG. 1 , determines if the data 

5s packet is allowed entry (block 304). If the firewall deter- 
mines that the data packet is an intruder data packet, 
the data packet is not ailowad entry (i.e., rejected) and 
an attack on the secure gaming terminal(5) 12 and/or 
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secure gaming 6erver(s) 14 is prevented (block 306). If 
the firewail detem?irses that the data packet is not an 
intruder data packet, the data packet is allowed entry. 
Optimaiiy, an ins-uder data packet is always detected 
and rejected by a firewall, (f the ftrewall is not properly s 
configured or if a VPN is utilized in the communication 
network 20, however, an intrsider dala packet may be 
allowed to pass through the iiremail 
[0074] is determiried whether a VPN Is Liiilized at 
the network processing layer (block 307), if a VPN Is 
utsllzed, the data packet is rsoeived by one of any 
number of t>'pes o1 VPN tunneling protocols (block 308) 
used to secure the VPN over the communication net- 
worl<: 20, in one embodiment. If a VPN is not utilized (as 
may be the case in a dedicated private network), the 
data packet may be received and decrypted by one or 
mors cryptographic protocols (bkick 314). If the data 
pacicet is received at the network processing layer 
(block 308) of the secure gaming system environment 
10, the VPN tunneling protocol deterrrsfries whether the 
data packet is authentic (block 310), In one embodi- 
ment. Authentication of the data packet may be deter- 
mined using an authentication header (AH) method 
where the sender of the data Is authenticated, or an en- 
capsulating security payload (ESP) method where the 
sender of the data is authenticated and the data Is en- 
crypted. If the VPN tunneling protocol determines that 
the data packet is not authentic {i.e., an intruder data 
packet), the data packet is rejected and an attack on the 
secure gaming tenninal{s) 12 and/or secure gaming 
server(s) 14 is prevented (block 306). If the VPN tun- 
neling protocol determines that the data packet Is au- 
thentic, a cryptographic protocol (block 314) provided 
by the integrity apparatus 26, 32 determines whether the 
payioad data (e.g., files, executable software, etc.) in 
the date packet Is au^entlc, in one embodiment. Typi- 
cally, a non-authentic data packet is detected and re- 
jected by the VPN tunneling protocol. If the VPN tun- 
neling protocol is not prqaerly implemented (via an in- 
appropriate encryption algorithm, digital signature algo- 
rithm , and so f o rth) , however, one or mo ra non-authentic 
data packets may exploit the improper implerrsentation 
and not be authenticated by the VPN turvs-seiirig protcscol. 
{0075] If utilized in ihe secure gaming system environ- 
ment 10, a cryptographic protocol recsiving the data 
packet (bl{x:k 314) may be used to determine whether 
the data (payload data) carried in the data packet is au- 
thentic (block 316). Authentbation may be determined 
using one or more of symmetric encryption, message 
authentication codes, public-key encryption, one way 
hash functlorss, digita! signature schemes, random 
number generator schemes, or combinations. Moreo- 
ver, the cryptographic protocol provided by the integrity 
apparatus 26, 32 may be provided at the OSI model net- 
work tayer, at the OSI model application layer, or both. 
As previously mentioned, if a VPN tunneling protocol is 
not used, the data packet may pass directly from the 
firewall to application of the cryptographic protocol. 



[0076] If application of the cryptographic protocol de- 
termines that the payload data is not authentic (block 
316), the payioad data is rejected and an attack on the 
secure gaming terrr>!nal(s) 12 and/or secure gaming 
sertfer(s) 14 is prevemed (block 306). If application of 
the cryptographic protocoi determines that the payload 
data is authentic, the payioad data may be received by 
the gaming terminal 22, the gaming server 28, or the 
integrity apparatus 26, 32. hJon-authentic payload data 
may be uncovered by application of the cryptographic 
protocol and rejected accordingly. If cryptographic pro- 
tocol Is not properly implemented, however, the data 
packet may exploit the improper implementationi and 
payload data may be erroneously authenticated. 
[0077] Referrlngto FIG. 3B, in the illustrated example, 
the payload data received by the integrity apparatus 26, 
32 is reviewed by antivirus software (block 320) and vi- 
rus scanners (block 324), in one embodiment, as dis- 
cussed in connection to FIG. 1. The payload data may 
form a file, an executabie program, a script, a macro, 
etc. If the payload data Is detemisned to contain a virus, 
it Is rejected and an attack on the secure gaming termi- 
nal(s) 12 and/or secure gaming serveris) 14 is prevent- 
ed (block 306). 

[0078] Concurrently, in one embodiment, the payload 
data is subject to the Intrusion detection system, imple- 
mented as a misuse detection system, a statistical mod- 
eling system, or a combination of both (block 328). If the 
Intruston detectiors system detects an intrusion attribut- 
able to the payload data (block 330), the affected gam- 
ing device is automatically disabled in a tail-safe man- 
ner, a security report Is generated, and suitabie action 
ts taken (discussed above In connection wiHi FIG. 1), in 
one embodiment. If itie intruston detection system does 
not detect an intrusran attributable to the payioed data, 
the controller 200 may determine whether any fiie devi- 
ations (from a basdtne) have occurred (block 332). If 
file deviations have occun-ed (block 332) indkiating an 
invalid change. Incidence response is deployed (block 
334) (discussed above in oonnectton wrtii FIG. 1 ), in one 
8n*odlnrrent, If file deviations have not occun-ed, the 
payload data Is accepted as valid and authentic, in one 
embodiment, 

[0079] Although illustrated as separate from secure 
gaming terminals) 12 ar^d the secure gaming server(s) 
14, the security fursctlonalrty provided by the secure 
communication apparatus 24, 30 and the integrity ap- 
paraUis 26, 32 may be implemented directly in secure 
gammg temrilnal(8) 1 2 and/or the secure gaming server 
(s) 14, 

lib. Key-Based Routines For Er\surfng Integrity, 
Authenticate n, and Non^epudiatton 

tOOSO] Symmetric cryptosystems that use secret keys 
for encryption of plaintext mes^ges and decryption of 
the resulting dphertext messages, are one type of key- 
based algorithm. Asymmetric cryptosystems such as 
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public key cryptosystems and multiple-key public key 
cryptosystems that use public keys for encryption of 
plaintext messages (or digital signatures) and private 
k©ys for decryption ol resufting ciphertext messages, 
are another type of tey-based algorithm. Generally, 
symmetric cryptosystems provide a faster method of en- 
cryption than asymmetric cryptosystems, but asymmet- 
ric cryptosystems provlcSe bsUer authenttcation tech- 
niques. Irs both types of key-based algorithms, genera- 
tion, management, and control (including key transmis- 
sion} of secret, public, and private keys requires a level 
of protection equivalent to tlie level of protection sought 
for the data they encrypt because the security of the en- 
cryption/decryption algorithm rests, in part, on the key. 

One-time Session Key; 

[0081] In some embodiments, a one-time session key 
is used for symmetric encryption and decryption of gam- 
ing software or other associated data ttansmttted be- 
tween two or more gaming devfces {e.g., from a server 
28 to a gaming ternilna! 22), The one-time session key 
may be generated in a number of ways using a pubSic- 
private key-pair. After generation end secure transmis- 
sion, the one-time session key can be used to symmet- 
rically decrypt/encrypt gaming software as it is trans- 
ferred between the gaming devices. As the name sug- 
gests, a one-time session key is used for a short period 
of time, typksally one session of gaming software ex- 
changes requiring encryption and decryption, 
[0082] Generation and secure distribution of the one- 
time session key by gaming devk;es of the secure ganv 
ing systen environment 1 0 may be done using public 
key cryptography. For example, a first gaming device (a. 
g., the gaming terminal 22) transmits rte public key (from 
a public-private key-pair) to a second gaming device, for 
example, theserver28. The second gaming device then 
generates a tHOdom or.s-time session key using ran- 
dom generation methods discussed above, and en- 
crypts the one-time session key using the first gamirvg 
device's public key. The encrypted one-time sessio.n key 
is then transmitted to the first gaming device. The first 
gaming device then decrypts the encr^ted one-lime 
session key (using Its private key from the public-private 
ksy-pair) to recover the session key. The first gaming 
device is now capable of symmetrically encrypting gam- 
ing software using the sesston key prior to transmission 
to the second gaming device, and vice versa. 
[OQSS] Control of the session key, or "session key re- 
strictions" are implemented to chsracterize session key 
parameters associated with, for example, when a s^- 
slon key is used, what gaming devices are authorized 
or required to use the session key, and how it is used. 
Such session key restrictions may be accomplished by 
attaching a key control vector (KCV) to the session key. 
The KCV contains the specific uses and restrictions for 
the particular session key. For example, hashing and 
XORing the KCV with a master key by the first gaming 



device yields a result that can be used as an encryption 
key to encrypt the one-time session key, in one embod- 
iment. The resuiiant encrypted one-time session key 
may then be stored with the KCV by the first gaming 

5 devtee. When received by the second gaming device, 
the KCV can be hashed and XORed with the master key, 
and the result can be used to decrypt the encjypted one- 
time session key (i.e., to recover the one-time session 
key for use). The one-time session key can then be used 

'0 to aymmetrically encrypt and decrypt gaming software 
transmitted between ttie first and second gaming devic- 
es, in one embodiment. 

Public-private Key-pair and Secret Keys: 

15 

[0084] Private-public key-pairs used by the gaming 
devices of the secure gaming system environment 1 0 
may be generated, stored, transmitted, and authenticat- 
ed in any one of a number of ways, in various embodi- 
es ments, depending on the scheme selected. For exam- 
ple, a private key (or a secret key) may be generated 
randomly by an aistomatio process (e.g., pseudo-ran- 
dom-bit generator) or by using techniques such as key- 
crunching to convert randomly selected phrases into pri- 
25 vata keys. ThB private key may also bs generated ran- 
domly using a cryptographic aigo.nttim such as tri- 
pie-DES (DES applied three times). Smilarly, the public 
key may be generated using a random process, howev- 
er, the random process must yield keys having certain 
30 mathematical properties, for example, the key may have 
to be a prime number, it may have to be a quadratic res- 
idue, etc. 

[0085] Once generated, secure transmission and ver- 
ification of the private, publte, or secret key by a gaming 

35 device of the secure gaming system environment to, 
may be Impiemented, in one embodiment. Secure trans- 
missfon of the key between gaming devices (via the 
Gommunication network 20) may be accomplished 
through the use of a key-ericryption key that encrypts 

40 the key prior io trarssirriission. Use of the key-encryption 
key provides an additiona! layer security forthe kay dur- 
ing its iransmission. However, distribution of a key-en- 
crypting key typwaliy is manual and therefore may net 
be feasible if the number of gaming devices in the se- 

4S cure gaming system environment 10 tsecomes iarga. 
For example, because every pair of gaming devices ex- 
changes key-encryption keys, a one hundred-gaming 
device network may require about 4K0 key-encryption 
key exchanges, In addition to using key-encryption 

^ keys, secure transmission of the key may also be ac- 
conriplished by using atrustedcourier{8,g., a casino em- 
ployee), by using a digital signature protocol using a 
public key database , or by using a key distributio n center 
(discussed below), depending on the cryptographic pro- 

ss tocol used. 

[0086] After receiving the key, the receiving gaming 
device may be required to verify the key's authentksity 
and source. Verification of authenticity and source may 
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be accomplished in a variety of ways, depending on the 
cryptographic aigcrithm used and the ievel of security 
required. For example, utilization of the trusted courier, 
the key-encryption key, the digital signature protocol us- 
ing a public Icey dat^aase, the ofi©-way hash function, s 
the key dtetribution center (KDG) etc., can provide dif- 
ferent levels of assurance of authenticity and the source 
of the key. 

[DOST] A key may be stored in a number of ways, 
again depending ors the ievei of seciirity required. For ?e 
example, the key may be stored on a magnetic strip 
card, a ROM key card, or a smart card. The user oan 
then insert the card having the key into a suitable card 
reader coupled to the gaming device, ther^y allowing 
access to the key by the gaming device. Alternatively, is 
the key may be segfnented into two halves. For exam- 
ple, one-half of the key may be stored on a ROM key 
end the other half of the key may be stored In suitable 
component of the gaming device (e.g.. program memo- 
ry). In addition, thekeymayaisobestoredinanenerypt- 20 
ed form to provide an additional level of security. For 
eKampie, an RSA private key could bs encrypted with a 
DES key and stored on a tan^bie medium such as a 
disk. 

lOOaai The Publfc-Prlvate Key-Pair Infrastructure; ss 

Public keys used in public key crj?ptographic algo- 
rithms orin multiple-key public i<ey cryptographic al- 
gorithms can be stored in, and verified by, a central- 
ized public key database or registry (e.g., a KDC), 30 
A iypkial centralized registry system (e.g., a public 
Key infrastructure (PKI)) utilizes a "pubiic key oertif- 
Icate" in conjunction with a trusted certification au- 
thority (e.g., Verisign) and a separate registration 
authority to issiie and manage security credertlials 3S 
arid the public keys. The typfcai centralized registry 
system is also conftgured to use drfferent industry- 
standard cryptographic algorithms {including RSA, 
DSA, MDS, SHA-1). A single pubik; key certificate 
can be derived from a sirtgle certification authority ^ 
or It can be derived from a series of public key cer- 
tificates, with each of the series of public key certif- 
icates derived from a series of certif teation authority 
entities and linked or chained via digital signatures 
(discussed in connectiors with FlGs. 3C and 3D). In 4S 
the case of a series of public key oertificstes derived 
from a series of certification authority entities, an 
"end entity" (i.e., the entity named in thesubject field 
of a certificate) can identity the certification authority 
{i.e., the entity named in the Issuer field of a certffi- so 
Gate). 

The public key certificate is a digitized certificate re- 
ferred to herein as a "digital certificate" and may be 
viewed as en electronic passport equivai^t to 
prove identity of associated gaming sonware or as- ss 
socialBd gaming data. In the secure gaming system 
envirortment 1 0, the trusted certificate authority and 
registry authority may be an existing authority body 



Of may be a proprietary authority body operating un- 
der the sponsorship and control of an existing gam- 
ing jurisdiction body, a large casino customer body 
(e.g., Harrah's), a special gaming authority, etc. In 
addition, the secure gaming system environment 1 0 
may include dedtealed certiflcale servers having 
the centralized public key database. 
Public keys and private keys may be created simul- 
taneously by the tnjsted certificate auttiority using 
the same algorithm (e.g., FSA). Creation of the pub- 
lic and private keys may be done by a software rou- 
tine such as that provided by OpenSSL software 
(open source software) or may be done using one 
of the manual routines or a combination routine as 
discussed above. The resulting private key may be 
given only to the requesting parly (e.g., to the first 
gaming device) while the resulting public key is 
made publicly available (e.g., to the finst and second 
gaming devtees) as part of thedlgital certlfteate. The 
private key can then be used by the ganing devtee 
to decrypt received text or data, including gaming 
software that has been encrypted using the corre- 
sponding public key by another gaming device prior 
to transmission, in one embodiment. In addition to 
decrypting messages, the private key can also be 
used to encrypt a digital certificate, in one embodi- 
ment. Atthe receiving end, the digital certificate can 
then be decr^ted using the corresponding pubSic 
key, In one embodiment. Thus, the public key held 
by the receiver gaming device (e.g., the second 
gaming device) can be used by the sender gaming 
device (e.g., the first gaming device) to encrypt a 
message, and the receiver gaming device's private 
key can be used to decrypt the message, in ons em- 
bodiment. Alternatively, the private key held by the 
sender gaming device can be used to encrjnst the 
sender gaming device's signature, and me sender 
gaming device's publk; key can be used by ttie re- 
ceiver gaming device to decrypt the encrypted sig- 
nature (thereby authenticating the sender), in an- 
other embodiment. 

As mentioned above, the public key eertiftoate, or 
the digital certificate used by the gsurting devices of 
the secure gaming system environment 10, is fe- 
sued by a trusted certification authority, in one em- 
bodiment. Each digital ce.ftific^te, in one embodi- 
ment, Includesacopy of the certificate holder's pub- 
lic key (used for encrypting messages and digital 
signatures), a serial number, an expiration date of 
the key, and a digital signature of the certificats-is- 
suirsg authority, so that a recipient can verify that the 
certificate is real, in the secure gaming system en- 
vironment 10, the digital certificate holder and the 
recipient may be a gaming device such as the se- 
cure gaming temninal 1 z orthe secure gaming serv- 
er 14, or a person such as a casino employee. 
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b(,). Certification Authority Inttfalization Routine 

[0089] For example, FiG. 3C is a flowchart of a certi- 
ffcation authority initializaliors routine 350 that may be 
performed, In one embodfment, by a controller 200 of s 
one or more of the security elements or gan^ng devices 
of FiG. 1 , for example, by the controlier 200 of the secure 
gaming server 14 configured as a certification authority 
(CA) server. The certification authority Initiail^ation rou- 
tine 350 may be utilized when a customer, such as a io 
casino erttity {e.g. , Harrah's) has control of, or manages, 
the certification authority (GA), the registration authority 
(RA), and the users {e.g., gaming devices such as gam- 
ing tenninais and servers). Of course, as will bs appre- 
ciated by ttiose of ordinary sklli in the art, variations of ?5 
the certification aulhority initialisation routine 350 may 
be utilized depending on ownership/control of the CA 
and RA. The certification authority initialization routine 
350 may be pefformed by the CA server to provide a 
self-signed certifieate (if the RA and CA are owned and ^0 
controiled by the same enti^, not a real "third party*) or 
to provide an RA approved and CA signed certiffcate (if 
the RA and CA are not owned and controlled by the 
same entity) for use by the gaming devices of the secure 
gaming system environment 1 0. 2S 
[DQSO] Referring to FiG. 3C, the certffication authority 
initiatizatlon routine 350 begins operation when a re- 
quest (block 351) for a CA public-private key-pair (key- 
pair) is received by the CA server (i.e., request to gen- 
erate an RSA key-pair for the CA). The request may be so 
a manual request fnsm an appropriate casino employee, 
may be an automated request, or may be a request from 
a gaming device of the secure gamtag system environ- 
ment 10. In response, the CA server, utilizing a certifi- 
cate generation too! such as OpenSSL generates, en- 35 
crypts, and stores the pubiic-private key-pair. 
[0091} For example, using a randomly generated 
password: the certificate gerteration tool generates 
(block 352) a key-pair. iJsing a cryptographic algorithm 
such as trtple-DES thai supports lee-bitencryptiors, with -to 
SHA-1 message authentication, the certificate genera- 
tion tool encrypte (block 3S3) the CA key-pair. The en- 
crypted CA key-pair Is then stored in a specified file, for 
example In a ca.key file in the CA server (or on another 
secure sewer). An encr^^ted CA key-pair is now avail- 4s 
able for use with the CA digitai certificate, 
[0OS2] In response to a request to generate a CA cer- 
tificate (block 354), a detenrsination is made (bSock 355) 
whether the CA and the RA are controlied by the same 
entity. If so, the CA server provides ssS-aigned CA dig- so 
Ital certificate (block 356). The self-signed CA digital 
certificate is created when the CA certificate request is 
generated to contain the required Information and when 
the CA certiffcate requesl is signed by the correspond- 
ing private key of the encrypted CA key-pair described ss 
above. The request may be a manual request from an 
appropriate casino employee, maybe an automated re- 
quest, or may be a request from a gaming device or se- 



curity elen-^ent of the secure gaming system environ- 
ment 10. Returning to the Illustrated example above (us- 
ing OpenSSL software), in response to the request for 
a CA certificate, a new digitai certificate is generated 
and signed with the private key of the sncrypted CA key- 
pair described above (e.g., an X.sm certifieate). The 
new CA digital certifteate includes the number of days 
ths& the certificate is valid, the pubik: key of key-pair f fte 
to be used, the country and state of origin, an organira- 
tion name (e.g., a company), etc, and the filename (e, 
g., ca,crt) where the new digital certifk»te is to reside. 
10093] In cases where the CA and the BA are control- 
ted or managed by different entities (Le,, CA controlled 
by casino entity and RA eontrojied by a jurisdiction en- 
tity), in response to a request to gerie-at© the GA certif- 
icate request (e.g., which, in this case, is the completed 
CA certificate just prior to signing by the OA), the un- 
signed CA certificate request Is fonwarded to the RA 
(block 358). Any action of approval or disapproval (due 
to incorrect or incomplete data, etc.) is perfonned by the 
RA. Upon appreva! (block 359), the RA forwards the un- 
signed, but RA approved CA certificate request back to 
the CA where it is reviewed for policy approval and fi- 
nally signed (block 362). Subsequent to signing, the 
signed GA certificate request, referred to herein as the 
CA digitai certificate, is forwarded to a predetermine file 
tocation (e.g., the ca.crt), The signed CA digital certifi- 
cate is now available for use upon request. 

b(2). Gaming Terminal/Server Key Generation and 
Signing Routine 

[0094] FIG. 3D is a flowchart of a gaming terminal/ 
server key genemtion and signing routine 370 that, in 

one embodiment, may be performed by a controller 200 
of one or more of the security elements or gaming de- 
vices of FIG- 1 , for example by a controller 200 of the 
secure gaming terminal 1 2. Of course, as will be ^pre- 
dated by those of ordinary skill In the art, variations of 
the gaming terminal/server key gen^ation and signing 
routine 370 may bs performed, depending on ownership 
and/or control of the signsd-CA-certif scats tile. Thus, the 
gaming terminal/server key generation and signing rou- 
tine 370 may be psrfonn sd by one or more of the garni ng 
devices or security elements of the secure gaming sys- 
tem environment 10, and result in a gaming terminai or 
gaming server digitai certificate. During construction, 
the gaming terminal or server digital certificate Is linked 
back to a CA digitai certificate via the private key of the 
CA digital certificate to ensure its authenticity. 
^895] Referring to FIG. 3D, the gaming terminal/ 
seiver key generation and signing routine 370 begins 
operation in response to a request (block371 ) for a gam- 
ing terminal/server (GT/server) key-pair. The request 
may be a manual request from an appropriate casino 
employee, may be an automated request, or may be a 
request from a gaming devtoe of the secure gaming sys- 
tem environment 10. in response, the CA server, again 
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utilizing a certificate generation tool such as OpenSSL 
software, generates, encrypts, and stores the GT/server 
public-private key-pair (GT/server key-pair). For exam- 
ple, much like the CA key-pair, using a randonrily gener- 
ated password, thecertitteate generation tool generates 
{blosk 372) an RSA key-pair for the gaming terminal/ 
server, \n one embodiment. Using a cryptographic algo- 
rithm sLioh as trip!e-DES, tlis certificate generation tool 
enciypts (block 373) the public key and the private key 
of the key-pair. The encrypted key-pair for the gaming 
tenninal/serwer is then stored In specified file, for exam- 
ple in a usr.key file stored in the CA server (oron another 
secure server), in one embodiment. An encrypted GT/ 
server key-pair is now available for use with the GT/ 
server digital certificate. 

p)096] in response to a rsqus^ to generate a GT/ 
server digital certlflcats, the CA sewer provides an un- 
signed certificate request, or CSR {blod; 374). The re- 
quest may be a manual request from an appropriate ca- 
sino employee, may be an automated request, or may 
be a request from a gaming device of the secure gaming 
sys8^ environment 1 0. Returning to the illiistrated ex- 
ample above {using OpenSSL software), in response to 
the request for the GT/server digital certificate, a new 
digital certificate request (CSR) is generated. The new 
digital certificate request includes, in on© embodiment, 
the public key of the GT/server key-pair tile to be used, 
the country (e.g., U.S.), state (e.g„ Nevada) and locality 
(e.g., Las Vegas) of origin, an organization name (e.g., 
Harrah's), an organization unit name (e.g., Harrah's 1), 
a common name (e.g., Harrah's gaming terminai #i), 
and a filename of the new urissgned GT/server digital 
certificate (e.g., file usercsr). The unsigned GT/server 
certificate request Is now ready for signature by the CA. 
J0OS?3 !n response to receipt (bSock 376) of the un- 
signed GT/server cerSficate request forsyarded by the 
CA server, the CA reviews (block 377) the certificate re- 
quest to determine if the ctrtificate eompiles with CA 
policies and whether the party who generated the cer- 
tificate is trustworthy, in one embodiment. Alternatively, 
in another embodiment, in response to receipt of the un- 
signed GT/server certificate request, the CA fbnvards 
the unsigned GT/server certificate request to an RA. Up- 
on approved by the RA, the unsigned GT/server certifi- 
cate request is forwarded back to the CA for signature. 
If ft is determined that the certificate complies with CA 
policies and that the party who generated the certificate 
is trustworthy, the CA signs (block 378) the public key 
of the GT/server certificate with a CA private key asso- 
ciated with a particular CA digital certificate, thereby 
forming a signed GT/server digital certificate. 
Signing the GT/server certificate public key with the CA 
private key provides a "link" back to the trusted certifi- 
cation authority. The signed QT/server digital certificate 
indLides, in one embodiment, the key-pair file to be 
used, the countty (e.g., US), state (e.g., Nevada) and 
locality (e.g., Las Vegas) of origin, an organization name 
(e.g., Harrah's), an orgenizatton unit name (e.g., Har- 



rah's 1), a common name (e.g., Harrah's gaming tennl- 
nal #1), plus the number of days that the certificate Is 
valid (e.g., 365 days). In addition, a CA certifk^ate Iden- 
tifier number associated with the CA private key used to 

s sign the GT/server digital certificate's public key, Is In- 
cluded in the signed certificate, in one embodiment. A 
filename of the signed csrtificale is (e.g., file usercrt) is 
also irsciiided. Thus, the GT/server key generation and 
sigrting routine 370 provides a signed and authenticated 

w GT/server digital certificate that sndudes a key-pair hav- 
ing a public key signed by a CA private-key, thereby lirsk- 
Ing, or chaining the GT/ssrver certificate to the CA. The 
gaming terminaS/servsr digilai certificate is now ready 
for Instailation In any of the gaming device of the secure 

»5 gaming system environment 10, and can provide au- 
thentication, privacy, content Integrity, and non-repudi- 
ation of gaming software/data, both installed and trans- 
mitted, between the gaming devices of the secure gam- 
ing system environment 10. 

so [0093] Use of the gaming tenninal/server d^ltal cer- 
tificate may provide authendcation, privacy, content in- 
tegrity, and non-repudiation of g^ing sottware/data, 
both installed and transmitted, between the gaming de- 
vtees of the secure gaming system environment 1 0. For 

ss example, the secure gaming server 1 4 may want to ac- 
cess a gaming temninal's digital certificate to authenti- 
cate the secure gamirsg terminal 12. 

bf3). Authentication Routine Using Digital Certificates 

30 

[0093J FlGa. 3E-3G are flowcharts of embodiments of 
an authentication rturtine using digital certifteates. in one 
embodiment, the authentication routine may be per- 
formed by a contrQiier200 of one or more of the security 
55 elements or gaming devices of FIG. 1 . The authentica- 
tion routine provides a method of controliing gaming 
software/data access, including non-repudiation, au- 
thentication, privacy, andcontent integrity, to the garriing 
devices using GT/s©rver digital certificates. The authen- 
40 ticatton routine also provides a method of authenticating 
the gaming devices of the secure gaming system envi- 
ronment 10, in one embodiment. 
[0100] The GT/server digital certificates may be 
stored in any number of gaming devices or security el- 
45 ements within the secure gaming system environment 
10, depending on the access control ctesired. Installa- 
tion of the digital certificates in the gaming devices or 
security elements may be manual or may be automatic 
using an appropriate Certifteate Management protocol 
so (descsibed below). For eKample, a GT digitai certificate 
may be installed on the secure gming terminal 12 and 
a server digitai certificate may be installed on the secure 
gaming server 14 using a PKi Certificate Management 
Protocol, in one embodiment. 
ss [0101] ReferringtoFiG.SE, an authentication routine 
380 begins operation when gaming software/data at- 
tempts access to the secure gaming terminal 12 or the 
secure gaming server 14 from another gaming device, 
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in one embodiment. For example, the authentication 
roLftlne 3B0 begins operation when the secure gaming 
terminal 12 requests a gaming software download (e.g., 
a video slot game, newly approved by jurisdictlona! reg- 
ulators) from a secure gaming server 14, Using a com- 
munication protocol such as the Secu,'"s Socket Layer 
(SSL) protocol, which utilizes a combination of public 
key and symmetric key encryption, the secure gaming 
server 14 and the secure gaming terminal 12 are each 
authenticated via a "handsiiake" procedu.''e prior to the 
gaming software download, in one embodiment. As will 
be appreciated by those of ordinary skill in the art, the 
authentication routine 380 may begin operation when 
the secure gaming sen/er 14, the gaming terminal 22, 
the gaming server 28, the first secure communication 
apparatus 24, the second secure communication appa- 
ratus 30, the first integrity apparatus 26, the second In- 
tegrity apparatus 32, or an appropriate person initiates 
gaming software/data transfer or gaming software/data 
authentication, in various embodiments. 
tOI^I The handshake procedure begins when se- 
cure gaming temiina! 12 transmits to the secure gaming 
server 14 its SSL version number, available crypto- 
graphic algo rithms , and data needed to ailow the secure 
gaming sever 14 to corrimunlcate with the secure gam- 
ing terminal 12 (biocii 3B2), in one embodiment, in re- 
sponse, the secure gaming sen/er 14 transmits to the 
secure gaming temninal 12 its SSL version number, 
available cryptographic algorithms, and data needed to 
allow the secure gaming terminal 12 to communicate 
with the secure gaming server 14 (block 383), in one 
embodiment. The secure gaming sen/er 14 also trans- 
mits its server digital certificate, and if the secure gaming 
terminal 12 is requesting a server resource (e.g., gam- 
ing software or data) that requires gaming lerminai au- 
thentication, the seeune gaming server 14 requests the 
secure gaming tefmtnal'S 1 2 gaming temiinal digital cer- 
tificate. 

[0103] Referring to FIG, 3F (server validation and au- 
thentication routine 3B4), the secure gaming tenDinal 1 2 
uses information received from the secure gaming serv- 
er 14 to authenticate binding between the public key of 
the gaming server^ digital certificate and the secure 
gaming server 14, in one embodiment. First, the secure 
gaming tenmina! 12 checks the server's digH;a! certifi- 
cate's validity period (block 386), if the current date and 
time is outside a valid rartge, the authentication process 
is terminated (block 386). if the current date and time is 
inside the valid range, she secure gaming terminal 12 
compares a distinguished nam© (DN) of the CA that fe- 
sued the seryefs digital certificate to a list of trusted CAs 
held by the secure gaming terminal 12. In one embodi- 
ment. The list of trusted CAs determines which digital 
certificates the secure gamfng terminal 12 will accept. If 
the DN of the CA that issued the server's digital certifi- 
cate matches a DN of a CA on the list of trusted CAs 
held by the secure gaming tenninal 1 2, the secure gam- 
ing temilnat 12 uses a public key (tound in the list of ifs 



trusted OA's) to validate the OA's digital signature on the 
gaming server's digits certificate (b!ock3B8), in one em- 
bodiment, If the Information in the gaming servers dig- 
ital certificate changed since it was signed by the trusted 
5 CA, the secure gaming tefmlnai 1 2 wtii not authenticate 
Ihe gaming server's identlly andthe authentication proc- 
ess is terminated (block 386). Slmllariy, if the CA s public 
key in the gaming server's digital certificate aoes not 
coirespond to the private key used by the CA to sign the 
io gaming server's digital certificate, the secure ga.ming 
terminal 1 2 will not authenticate the server's identity and 
the authentication process is tennin^ed (block 386). If 
ail the criteria are met, the gaming server's digital cer- 
tificate Is considered valid by the secure gaming ternii- 
ts nal 1 2 (block 389), in one embodiment. 

[0104] The secure gaming tenninal 12 confirms that 
the secure gaming sen/er 1 4 Is actually located at a net- 
work address specified by a domain name in the gaming 
server's digital certificate (block 390). This prevents an 
20 attack commonly referred to as a Man-in-the-Middie at- 
tack where a rogue program intercepts communication 
between the secure gaming tennina! 12 and secure 
gaming server 1 4 and as a resutt, substitutes its own 
key-pair so that the secure gaming serifer 14 "thinks" 
ss thai it is properly communicating with the secure gaming 
terminal 12, and vice versa. If the secure gaming termi- 
nal 12 dsterminss that the secure gaming server 14 is 
not located at the network address specified by a do- 
main name in the gaming server's digital certificate, the 
30 secure gaming server 1 4 is not authenticated by the se- 
cure gaming terminal 12 (block 386), in one embodi- 
ment. As a result, the secure gaming terminal 1 2 refuses 
to establish a connection with the secure gaming server 
14. If the secure gaming terminal 12 determines that the 
35 secure gaming server 1 4 is actually located at a network 
address specified by a domain name in the gaming serv- 
er's digital certificate, the secure gaming sewer 14 is 
authenticated, in one embodiment. 
[0105] Using all of the data generated (up to step 
40 389), the secure gaming tenninal 1 2 may create a 'pre- 
master secret" for the session, and encrypt the prsmas- 
ter secret with the gaming server's public key obtained 
from the gaming sarvar^ digital certifksate. The secure 
gaming temjinal 12 may then send the encrypted pre- 
45 master secret to the secure gaming server 1 4, 

[010S] The server validation and authentication rou- 
tine (384) is competed. Referring again to FIG, 3E, the 
gaming validation and authentication routing (^1) is 
then perfonned. This routine is described in more detail 
so in conjunction with FIG. 3G. If the secure gaming termi- 
nal 12 determiriss that the gaming server's d^ita! cer- 
tificate Is valid and that the gaming server Is autiientic, 
the secure gaming server 14 authenticates the secure 
gaming temiinal 12, in one embodment. The secure 
ss gaming server 1 4 begins the authentkaation process by 
requesting (block 3^) that the secure gaming terminal 
12 transmit the gaming terminal's digital certificate and 
a s^arate piece of digitally signed data (e.g., signed 
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using the public key of private-public l<ey-pair noted In 
the gaming server's digital certificate). The separate 
piece of digitally signed data satlSizes a digital signature. 
The digital signatufB Is generated by creating a one-way 
hash from data randomly generated during the hand- 
shaite procedure and known only to ttie secure gaming 
terminal 12 and the secure gamirsg server 14, in one em- 
bodiment. The one-way hash of the random data may 
be encrypted with the private key ttiat corresponds to 
the public key in the gaming terminal's digital certifk;ate. 
piOT] Using the gaming terminal's digital certificate 
and the separate piece of digitally signed data, the se- 
cure gaming server 14 determines whether the gaming 
terminaPs public key validates the gaming terminal's dig- 
ttai signature (biock 393). Tiierefore, upon receipt, the 
secure gaming server 14 uses the digitally signed data 
to validate the public key In the gaming teEmlnai's digital 
certificate and to authenticate the gaming terminal's 
Identity Hie gamingterminai's digjial certificate claims to 
represent. If the digital signature is validated with the 
public key in the gaming terminal's digital certificate, the 
secure gaming server 14 delemilnes, in one e.mbodi- 
ment, that the public key in the garrsing terminal's digital 
certificate matches the private key used to create the 
digital signature and that the separate piece of digitally 
signed data has not been tampered with (by an attacker) 
since the time it was digitally signed. 
[01 08] The secure gamin g server 1 4 ch ecks th e gam- 
ing terminal's digital certificate's validity period (block 
394) . If the current date and trne is outskle a valid range, 
the authentfcation process Is terminated (biock 386). If 
the current date aiKJ time is inside the valid range, the 
gaming server conpares a distinguished name (DN) of 
the CA that issued the gaming terminal's digital csrtffi- 
cate to a list of trusted CAs held by the gaming server, 
in one embodiment. The list of trusted CAs determines 
which digital certificates the secure gaming server 14 
will accept. If the DhJ of the CA that issued the gaming 
terminal's digital certificate matches a DN of a CA on 
the list of busted CAs held by the secure gaming server 
14, the secure gaming server 14 uses a publte key 
(found in the trusted CA list) to validate the OA's digital 
signature on the gaming termlr>al's digital c^ifteate 
(block 396). in one embodiment, if the information In the 
gam ing terminal's digital certificate changed since It was 
signed by the trusted CA, the secure gaming server 14 
will not authenticate the gaming tenninai's identity and 
the auUienticatlon process is termirsated (block 386). 
Similarfy, If the OA's public key In the gaming terminal's 
digital certificate doesnt corresporid to the private key 
used by the CAto sign the gaming terroinat's digital cer- 
tificate, the secure gaming server 14 will not authenti- 
cate the temnlnel's Identity and the authentnation proc- 
ess Is tenminated (block 386), In one embodiment 
[0109] The gaming temninal validation and authenti- 
cation routine (391) is then completed. Referring again 
to FIG. 3E, if all the criteria are met, both the secure 
gaming terminal 12 and the gaming temninal's digital 



certificate are considered valid and authenticated by the 
secure gaming server 14 (block 397). Therefore, using 
the handshake procedure, the secure gaming ismiinal 
12 has determined that both the secure gaming server 

3 1 4 and the gaming server's digital certificate are valid 
and authentic and that a man-in-the middle attack has 
not occurred. Li'Kewlse, usingthe handshake procedure, 
the secure gaming server 1 4 has detenrtined that both 
the secure gaming terminal 12 and the gaming tern«- 

10 nal's digital certificate are valid and authentic. 

[0110] Prior to the gaming software download from 
the secure gaming server 14 to the secure gaming ter- 
minal 12, the Secure g^lng server 14 determines 
whether the secure gaming tsrmina! 1 2 is authorised to 

IS access the requested ga.Triing software (biock 398), The 
secure gaming server 14 may detemnine whether th© 
secure gaming terminal 1 2 has approved access in any 
number of ways. For example, the secure gaming sen/er 
14 may determine whether the secure gaming terminal 
12 h^ ^proved aessss to the gaming software by 
checking its access control lists (ALCs) stored in one of 
the memories of the controller of FIG. 2. If the secure 
gaming server 14 determines that the secure gaming 
terminal 1 2 has access to the requested gaming soft- 

2S iniare, the secure gaming server 14 establishes a con- 
nectior^ to the location of the gaming software, in one 
embodiment. 

[0111] When the secure gaming terminal 12 is suc- 
cessfully authenticated by the secure gamingserver 14, 
30 the secure gaming server 1 4 may use its private key to 
decrypt the encrypted premaster secret. Using the pre- 
master secret, both the secure gaming server 14 and 
the secure gaming tianminal 12 generate a "master se- 
crer . Using the master secret, both the secure gaming 
35 server 14 and s^ure gaming terminal 12 generate a 
one-time session key for encrypting and decrypting, in 
addition to symmetrically encrypting and decrypting the 
gaming software and gaming data exchanged between 
the secure gaming server 1 4 and the secure gaming ter- 
40 minal 12, in one embodiment, the one-time session key 
provides integrity verification {i.e., st detacts any chang- 
es occurring In the gaming soft-^are/data between Ihs 
time It was sent and received). 
[0112] Finally, the secure gaming ten^ilnal 12 trans- 
mits a message to ttie secure gaming server 1 4 indicat- 
ing that future transmissions from the secure gaming 
terminal 12 will beencrypted with the session key. It then 
sends a separate, encrypted message Indicatlrsg that its 
portion of the handshake proceduse compiefe n ons 
so embodiment. Similarly, the secure gaming server 14 
transmits a message to the secure gaming terminal 12 
indicating that future transmissions from the gaming 
server will be encrypted with the session key,. It then 
sends a separate, encrypted message Indicating that Its 
ss portion of the handshake pnscedure is compiote, in one 
embodiment, The gaming software is then encrypted 
with the one-time session key and downloaded to the 
secure gaming temninal 12 (block 399). In this way, au- 
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thentication of gaming software/data transmitted be- 
tween, or located within the garni ng devices and security 
elements of the secure gaming system environment 1 0 

is provided, 

[D1 1 3] As will be appreciatsd by those of ordinary skill 

in tile art, \n addition to SSL, other suitable communica- 
tion protocois may be used in Ih© authentication routine 
3S0. 

ili. THE DETAiLED SECURE GAMING SYSTEM 

{0114] Fig, 4 iiiiistrates one possible embodiment of 
a detailed secure gaming system 400 m accordance 
with an smbodirrtent of the inverition. Referring to FiGs. 
4A and4B, in additiori io the elements rsetwork and sys- 
tems discussed beiovi,: the detaiied secure gaming sys- 
tem 400 includes the gaming devices (e,g, , secure gam- 
ing terminals, secure gaming ssrvens, gaming routei^, 
etc.) and the security eiemente (e.g., Infe-usion detection 
systerriS, firewalls, etc.) discussed in connection with 
F!G. 1 , The detailed secure gaming system 400 is con- 
figured with one or more customer networks 420, 422, 
and 424 communicatively coupled to a public commu- 
nication network such as the Intemet 416, a customer 
corporate center 426 communicatively coupled to the In- 
ternet 41 6, and a game provider data center network 
428 communicatively coupled to the Intemet 416. in ad- 
dition, the detailed secure gaming system 400 includes 
a jurisdiction data center 430. Although oniy one gaming 
system environment Is illustrated, it is contempiatedthat 
there may be more or fewer customer networks, cus- 
tomer corporate centers, game provider data centers, 
and jurisdiction data centers witiiin the networl<. 
[011S] in ge.nerai, the customer networks 420, 422, 
424 may be looaied in the same or different geographic 
regions. For example, the customBr network 420 may 
be provided In a firet casino, the ciistomsr networic 422 
may be provided in a s^ond casino, and the customer 
network 424 may be provided in a third casino located 
in a separate geographic region than the first and/or s^- 
ond casir^o. AtternaSivsiy, each of the customer net- 
works 420, 422, 424 may be provided in a boat, an air- 
piane, a store, a race track (e.g., a "racino"), etc, 
[0116] in general, the ciistomar corporate center 426, 
which may be operated by orfor a gaming proprietor (e. 
g. , Hanrah's, a State operating lottery gaming tenriinals, 
an Indian tribe, etc.), administers operation of the gam- 
ing devices within its customer networks 420, 422, 424, 
Administration at the cijstsmer corporate lave! may In- 
clude, inter aiia, securing gaming licenses from the 
game provider data center network 428, ensuring com- 
pliance of its gaming hardware and software with juris- 
diction regulations, ensuring the integrity and security of 
gaming software/data operating its gaming terminals, 
enabling appropriate communication between its gam- 
ing devices and the game provider data center network 
428, etc. 

[01 17] I n general, the ganrte provider data center net- 



work 428, operated by or for a game provider such as 
WMS Gaming, Inc, (Illinois), administers operation of its 
gaming devces within a detaiied secure gaming system 
(e.g., system 400), Administration at the game provWer 
s level may Include, inter alia, administering and coordi- 
nating licenses to the customer corporate c^riter 426, 
ensuring appropriate gaming hardware arsd software 
compiiance with the various jurisdiction reguiations, ad- 
ministering gaming software Integrity verification, pro- 
viding gaming software/data downioads or revoking 
software downloads when appropriate, and/or general 
gaming device monitoring functior<s. Although ewily one 
game provider data center is shown as represantatlve 
of the gams provider data center network 428, it is con- 
templated that there may be additionai game provider 
data centers, co-iocated or remotely located from each 
other, provided within the game provider data center 
network 428, depending on the secure gaming system 
environment configuration. For example, there may be 

20 one coFporate-ievei game provider data center with au- 
thority and coordination responsibility for a number of 
regionai-level game provider date centers. Each reglon- 
a!-iev6i ^me provider cteta center may ttien have au- 
thority and coordination responsibility tor customer cor- 

2S porate centers and customer networks in its region. As 
will be appreciated by one of ordinary skill in the art, the 
functions provided by the game provider data center 428 
may also be provided by the customer corporate center 
426, 

30 [0118] In general, the jurisdiction data center 430, 
which may aiso operated by or for a casino game pro- 
vider, generally tracks and administers data associated 
with the operation of gaming tennlnals in a particular ju- 
risdiction region. Each particular gaming jurisdiction de- 
3S terminss methods and procedures for operation of the 
jurisdiction data center 430, Therefore, because individ- 
ual gaming jurisdictions have varied reguiatofy rsstrlc- 
tions regarding gaming temiinal operation, the ievei of 
tracicing and administration required may vajy froin Ju- 
risdiction data center to jurisdiction data center 430, 
[0119] Refemng again to FlGs. 4A and 4B, the de- 
tailed secure gaming system 400 Includes the secure 
communk»tion elements, the access control elements, 
and the integrity eiements discussed in connection with 
45 FIG, 1. For example, in one embodinrtent, each of the 
gaming temilnals, routers, and servers are monitored 
by a data Integrity assurarsce system ("DIA"). Addition- 
ally, the routers and servers may include intrusion de- 
tection systems ("ID") and/or network vuinerability scan- 
ts ners ("N VA"), In various embodimente. Further, the serv- 
ers include antivirus scanners ("AV") , in one embodl- 
mem. Although not illustrated by Indivkiual icons, addl- 
Eiona! the secure communication etements, the access 
control elements, and the integrity elements may be in- 
55 ciuded in the detailed secure gaming system 400, in an- 
other embodiment. 

[0120] Referring again to Fig, 4, the detailed secure 
gaming system 400 utilizes one or more virtual prh^ate 
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network (VPN) configurations, for example VPNs 412 
ar-rd 414, in one embodiment. The VPNs 412, 414 pro- 
vide a secure connection ovsr a public commiinication 
network such as the iRterrstt 416 for gaming devices 
communicativeiy coupled to the VPN . Use of such VPN 
configurations 412, 414 may partiaSSy or wholly reducs 
tlie need for costly dedicated ccHTimunlcation rietworks 
between aod/or among the various gaming dev'icse of 
the detailed secure gaming system 400. As wiii be ap- 
preciated by tiiose of ordinary ski!! in the art, additionai 
VPNs may be impiemented within the det^ied secure 
gaming system 400. For example, a VPN may be uti- 
lized to enable secure communication between the ju- 
risdiction data center 430 and the game provider data 
center networit 428. 

[0121] Secure access within the VPNs 412, 414 Is 
maintained using one of any number of tunnsiing proto- 
cols, in addition, a number of other security measures 
{discussed In connection wrth FIG. 1 ) can be implement- 
ed to ensure the integrity of gaming data traversing the 
VPNs 412, 414, In various en*odirrients, the gaming 
data transmitted via the VPNs 412, 41 4 may irtclude new 
or modified gaming software for game play, bonus game 
piay, tournament play, progressive Sottery game play, 
etc., on the gaming terminals, in other embodiments, the 
gamir^g data may also indude gaming terminal game 
performarwe data, maintgnance information or instruc- 
tions, security data, mairileriance data, piaysr data, ac- 
counting data, game outcomes (for systems having cen- 
tral determination), gaming device software {OS, pe- 
riphenals, etc.), etc. 

[01221 addition, although not shown, the detailed 
secure gaming system 400 may include one or more 
dedicated communication network segm^ts config- 
ured as an Intranet, in one embodiment. Such an intran- 
et configuration may be Included In a server-based gem- 
ing system having one or more central server(s) Inter- 
connected to a number of gaming temninals. The intran- 
et may be configured to enable downioadlng of (soft- 
ware) games, gam© configurattan data, game osit- 
comes, etc. from the central ssrver(s) to the gaming tsr- 
mlnais, and to enable uploading of marketing and oper- 
ations data from the gaming termir^ais to the centra! 
server, in one embodiment. The server and the gaming 
tsrmlnais may be interconnected via private leased 
phone lines, private microwave or satellite links, dedi- 
cated hardwire, wireless links, etc. 
[0123] The dedicated communication network seg- 
ments may include security elements such as (1) au- 
thenticatkDn capabll.^ for gaming software before and 
after Instaiiation including on-demand authenticatiofi; 
(2) authentication, authorization, and acKounting of 
gaming sessions; (3) DIA of designated software files in 
the central server and the gaming terminais; (4) gaming 
software VA; (5} security infoimation management; and/ 
or (6) proactive and reactive intrusion detection (ID) sys- 
tems, to name a few. 

[0124] At a top level, each of the subsystems of the 



detailed secure gaming system 400 {e.g., the customer 
networks 420, 422, 424, the customer corporate data 
center 426, the jurisdiction data center 430, and the 
game provider data center network 428) operate both 
5 Independently and together to provide a sophisticated 
gaming environment wtiile, at the same lime, ensuring 
gaming device compliance with the various jurtsdictional 
regulatory restrictions, in one embodiment. For exam- 
pie, If g^ing data gathered and data mined (i.e., the 
gaming data Is sorted to Identify patterns and establish 
relationships) at the customer corporate center 426 in- 
dicates a very popular game, for example, a Monopoly 
bonus game manufactured by WMS Gaming, Inc., the 
customer may desire to purchase 50 additional Monop- 
is oly bonus game licenses from the game provider, in one 
embodinnent. The request for the SO additional licenses 
by the customer corporate center 426 can be made via 
the VPN 414. Similarly, payment for the 50 additional 
Monopoly bonus game licenses can be made via the 
20 VPN 414. in addition, the jurisdictional data center 30 
can verify compilanee of the Monopoly game with the 
local regionai jurisdiction regulations (discussed below). 
[0125] Upon receipt of payment for the 50 additional 
licenses, the customer can download 50 Monopoly bo- 
25 nus games, either from its own database or from the 
game provider's data base, into their servers or Into SO 
of their gaming terminals, in one embodiment. The VPIM 
41 2 may be used to download Monopoly game software 
packets, which may or may not be encrypted to prevent 
30 unauthorized reading during transit, into the selected 
customer gaming terminals. After downloading, Infime- 
diate autttenttcatlon of the Monopoly game software 
packets will than ensure that no unauthorized data pack- 
ets were Inserted and/or that no Monopoly game soft- 
35 ware packets were deleted or modified, in one embod- 
iment. 

[012S] in various embodiments, authentication of the 
Monopoly game software packets by the detailed se- 
cure gaming systenfi 400 cart be adiieved In arty number 
40 of ways, including, for example, using ^AACs, one-way 
hash algorithms, publio-key cryptography, digital signa- 
ture schemes using a pair of keys - a public key and a 
private key, symmstrtc encryptron, random number gen- 
erators to generate random numbers for keys, unique 
^5 values in protocols, protocols using more than one of 
the above-mentioned authentication techniques, and so 
on. For example, authenticatiori of the Monj^ly bonus 
game scrftwars can be verified by sending randomiy 
gerierated seed data with the Monopoty software data 
so block, running it through a secure hash algorithm su:h 
as SHA-1 , and verifying the resulting mes^ge digest at 
the receiving end. Subsequent "spot-checks" of the 
downloaded Monopoly bonus game may ensure contin- 
ued authentication of the software. Similar^, other game 
ss software, updates to the game software, flmfiware up- 
dates to gaming terminal peripherals, software mainte- 
nance patches, and other data can be downk>aded to 
the gaming terminals using the communicadon links 
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provided in the detailed secure gaming system 400. 
Ilia. Customer Networks 

[0127] Each of the customer networks 420, 422, 424 
may include a number of gamlngterminals interconnect- 
ed to one or mors servers via a property local area net- 
work (LAN), \n one embodiment. Each of the gaming ter- 
minals may be configured as a client that relies on the 
server(s) for resources (i.e., a client/server arcliltec- 
ture), in one embodiment. In an altemato embodiment, 
each of the gaming terminals may be configured with 
capability equivalent to the sQrver(e) {i.e., a peer-to-peer 
architecture). The customer networks 420, 422, 424 
may also include one or more controllers and/or switch- 
es to accommodate variations in the network interfaces 
due to varied network protocols (e.g., RS232, RS485, 
Ethernet, wireless, etc.) utilized to communicate be- 
tween the gaming devices. 

[0123j The customer networl< 420 inciudes gaming 
temiinals 432 and 434 interconnected to a server 436 
via a property LAN 438, in one embodiment. Similarly, 
the customer network 422 includes the gaming termi- 
nals 440, 442, and 444 interconnected to a servfer 446 
via a property LAN 448, and the customer network 424 
includes the gaming terminaJs 45D, 452, and 454 inter- 
connected to a server 456 via a property LAN 458. Other 
servers orcomputers (not shown) may be included with- 
in the custonwr networks 420, 422, 424 to manage cus- 
tomer network resources (e.g., files, databases, stor- 
age, Bfi^ilcatlon programs, printers and other devices). 
For example, the customer network 424 may include a 
network computer for managing network traffic, a proxy 
server for Improving network perfomiance, etc. 
[0129] The gaming terminals of Mie customer net- 
works 420, 422, 424 may be configured in any number 
of ways. For example, in one embodiment, instead of 
utilizing several EPROMs programmed with Indtvidiial 
games, a gaming terminal may be configured with only 
one EPROM which administers aufrtenttcatlor^ algo- 
rithms and boot-iip the software for the gaming terminal 
(BIOS), etc. Thus, in one embodimenf, instead of resid- 
ing directly on the EPROM. gaming softwar» can be 
downloaded from a remote gaming device, such as a 
server, via either a VPN (internet) or a dedication com- 
munication fink (intranet), and the authentication algo- 
rithm(s) programmed on the single EPROM can ensure 
ttie authentkjation of the downloaded software. In vari- 
ous embodiments, the gaming software can also be 
downloaded from high c^adty storage devices such as 
CD ROMs, DVDs, hard drives, compact flash memory, 
etc., and authenticated using an authentication algo- 
rithm stored on the one EPROM. In this way, manual 
authentication of one EPROM replaces manual authen- 
tication of the several EPROMs typical of traditional 
gaming terminals, and therefore translates into a sav- 
ings of memory resources and/or manpower, in addi- 
tion, using this approach may preclude a need for man- 



ufacturers of gaming terminals and gaming software to 

develop one large multi-jurisdictional gaming software 
version. As will be appreciated by those of ordinary skill 
In the art, additional EPROMs programmed with addi- 
5 tlonai securlly elements may be inciuded In the gaming 
terminals. 

[0130] Once networked to other gaming devtees, the 
gaming terminals may be more susceptible to security 
breaches originating elsewhere in the detailed secure 
10 gaming system 400, for ax^ple, at the network or In- 
tranet level. Methods discussed above in connection 
mth FIG.I for securing gaming terminal software, hard- 
ware and flmiware may be Impiamented at the server, 
gaming terminal, LAN and/or network level of th© de- 
ls tailed secure gaming system 400, in various embodi- 
ments, 

[0131] The servers 436, 446,456 of the customer net- 
works 420, 422, 424, respectively, are utilized to accu- 
mulate and analyze data relating to the operation of the 
2S gaming tenninais (e.g. , data indicative of dollar amounts 
or numbers of wagers on each of the gaming termirsals) , 
in one embodiment. Theservers 436, 446 , 456 may ateo 
be utilized to provide distinct types of network gaming 
servicss, in various embodiments, including, for sxam- 
ss pie, wide area progressive (WAP) capability that allows 
multiple gaming termlnais to contribute to and compete 
for syste.'Ti-wide jackpots; slot tracking and accounting 
capabifity: cashless gaming management and valida- 
tion; player tracking capability; interactive linked gaming 
30 capability; bonussing capability; central determination; 
gaming software/data downloadtng capability, etc. in 
addition, the servers 436, 448, 456 may also provide 
controi and Interface functions for the gaming devtees 
within the customer networks 420, 422, 424, In various 
35 erriaodlments. 

[0132] In some cases, the gaming software/data may 
be compiled by the servers 436, 44B, 466 and may, 
therefore, be gaming terminal independent. When prop- 
erly aiithenticated by a gaming terminal configured to 
'^o receive encrypted etc. game data files (resulting from 
compiling the gaming software/data), th& gam© data 
files can direct the gaming temitnai to execute the cor- 
re^onding game and operate the associated devices 
(i.e., currency printer, buttons, etc.), in one embodiment. 
As will bs appreciated by those of ordinary skill In the 
art, In addition to the servers 436, 446, 456, the gaming 
software/data may be compiled on any suitable server 
in the detailed secure gaming system 400, in various 
embodiments. In this way, gaming soflware/data may 
50 be efficiently designed, updated, and verified, and in 
conjunction with the security elements of the detailed 
secure gaming system 400, may allow "on demand" 
game play at i^emotely located gaming tenrilnals. 
[0133] The property LANs 438, 448, 458 may be any 
ss type of suitable property IAN configuration including, for 
example, a dedicated hardwired property LAN ora wire- 
less property LAN. Further, the property LANs 438, 44.8, 
458, may be configured in a bus topology, a startopol- 
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ogy, a ring topology, a tree topology, a full or partial mesh 
topology, etc., and may therefore include a single cus- 
tomer network data link or multiple customer network 
data links. Although the property I^Ns 438. 448, 458. 
are shown coupled to two or three gaming terminals and * 
one server, 11 should be understood that different num- 
bers of gamlfig lerminais and servers may be used. For 
exampie, the custorner network 422 rnay incSude a plu- 
rality observers andtens and/or hundreds of gaming ter- 
mir.als, ail of which may be interconr\8cted via the prop- »f 
erty LAN 448- 

[01341 Referring to customer networks 420, 422, 424, 
each of the property LANs 438, 448, 45S is communi- 
catively coupled to the I nternet 41 6 via a router 460, 462, 
and 464, respectively. The routers 480, 462, 464 which 
may be hasTdware, software or combinations of both , sn- 
abie transmission of packetixed gaming data to an ap- 
propriate destination within the detailed secure g»nlng 
system 4Q0, Using the addresses on each of the pack- 
ets , the routers 460, 462 , 464, send the packets toward 2" 
their dsstirsation. AShough oniy one router is shown as- 
sociated with each of the customer networks 420, 422, 
424, additional routers may be included, branding on 
the desired network configuration, Additional routers 
{not shown) may also be located at various points within 2s 
the detailed secure gaming system 400. 
[013ij As iilustrated by FIGs. 4A and 4B, each of the 
private subsystems of the detailed secure gaming sys- 
tem 400 {e.g., the customer networks 420, 422, 424, the 
customer coiporate data center 426 , the ju risdiction da- 30 
ta center 43D, and the game provider data center net- 
work 428) Ineiudes a firewail to protect gaming devices 
within the private subsystems from intrusions via the In- 
ternet 41 6, in one embodiment. Thus, the firewalls 491 , 
493, 495 are configured to prsv^t suspect software ss 
from entering the customer networks 420, 422, 424, re- 
spectiveiy. the firewaii 489 is configured to prevent sus- 
pect software from ente.ing the game provider data 
center network 428, the firewail 499 Is configured to pre- 
vent suspect software from entering the j urisd loti on data 
center 430, and the firewall 497 Is configured to prevent 
suspect software from entering the customer corporate 
data center 426. In addition, the firewalls may be imple- 
mented via traditional router-based firewalis, software- 
based firewalls, ASICs, networic processors, adaptive 
computing integrated circuits, etb. As a resutt, each of 
the firewalls may be configured differently or Sie same, 
depending on the security threshold desired. 
[01381 Although oniy one firawail per private subsys- 
tem is shown in FIGs. 4A and 4B, additional firewalis ^0 
maybe used. Forexampie, a proxyfirewail or two logical 
f irewaite may be used to buiid asafetybuReraround one 
or more of the private subsystenns. The buffer zone may 
be used to isolate a Web server in one or more of the 
private networks fron"; other gaming devices within the ss 
pri vats network. One firewai! may be used to protect the 
buffer zone itself (i.e., placed between the Web server 
and the public network), while a second firewall config- 



ured with more restrictions, and placed interior to the 
first (i.e., placed between the Web server and Itie ottier 
gaming devices), protects the gaming devices within the 
private customer networks. 

illb. Communication Network 

[0137] As previousiy mentioned, the VPN 412 pro- 
vides secure access between ttse gaming devioes com- 
municatively coupled to the VPN 412. The gaming de- 
vices may be tocated over a geographicaiSy small or 
large area arid therefore may i>e in ciose proximity to 
©aeh other or may be rerrsotely bcatsd from each other. 
For example, the VPN 412 provides secure access be- 
tween the gaming devices at the customer corporate 
center 426 and each of Its customer networks 420, 422, 
424. Similarly, the VPN 414 provides secure access be- 
tween the gaming devices at the customer corporate 
center 426 and the game provider data center 428. 
[0138] The VPNs 412, 414 may include one or more 
typ^ of eiec^o-magnetic links, herein referred to as 
wireless (e.g., radio ilnks, miciXiwaves. etc.) or wireline 
(dial-u^, fiberoptic, wires, etc) neMvork links. For exam- 
ple, in the Illustrated CHnbodiment, a satellite link 466 
forms a portion of the VPN 412 that communicatively 
couples the customer network 420 to the Internet 416. 
Within customer network 420, one or more gaming 
devices may be directly coupled io a satellite dish 457 
via suitable cabling and network interfaces. Thus, gam- 
ing data may be transmitted from the customer network 
420 to the customer corporate center 426 via the satel- 
lite dish 467, the satellite link 466, and the Internet 41 6, 
and vice versa. 

[0139] Simiiarly, a radio frequency {RF) i!nk468forTns 
a portion of the VPN 412 that communicatively coupies 
the customer network 424 to the Internet 416, The RF 
link 468 is configured to enable trBfismisslon from, or 
reception to, fixed or mobile gaming devices (e.g., gam- 
ing terminai 454, server 456, els,) of the customer net- 
work 424 using any one of a number of well-known RF 
technologies including, for example, a wireless cellular 
technology available from Motorola, Inc., or an IEEE 
802.11 technology available from Cisco Systems, etc. 
Thus, if the wireless cellular technology is used to link 
thecustomer network 424 with the Internet 41 6, gaming 
data may be transmitted from the customer network 424 
to the customer corporate center 426 vie one or more 
radio tower(s) 469, one or more base transceiver sta- 
tions, etc., (not separately illustrated), a centra! switch- 
ing otftoe 470 (e.g., PSTN), and the Internet 416, and 
vice versa 

[Q140] A wireline link 474 lorms another portion of the 
VPN 412 that communicativeSy couples the customer 
network 422 to bther elements of the detailed secure 
gaming systenn 400 via the intemei 416. Tiie wireline 
link 474 may include any number of standard wireline 
connections, for example, a coaxial cable connection, a 
phone line connection, wireline frame relay connection. 
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a wireline ATM connection, a wireline Ethernet connec- 
tion, etc. Thus, gaming data may be transmitted from 
tn& costomer network 422 \o the customer corporate 
center 426 via the wireline, or wireline Sink 474, and vies 
versa, Additionai other network Unks may be established 
between the customer networks 420, 422, 424 and/or 
the customer corporate center 426, For exampie, the 
cListomer network 422 may be commsjnicativeiy cou- 
pled to the customer corporate center 426 via a niimber 
of routers (e.g., the router 482) anda iocai internet Serv- 
ice Provider (SSP) using one of the wirefKie or wireless 
technologies discussed above. Further, although not 
specificaiiy illustrated in FIGs. 4A and 4B, the Juriedic- 
tion data center 430 nnay be communicatively coupled 
to the Internet 416 via any of the above-mentioned 
methods. 

itic. Customer Corporate Center 

[01411 As deleted in F!Gs. 4A and 4B, the customer 
corporate center 426 includes a customer data integrity 
server 476, acustomer corporate server 478, and a cus- 
tomer license server 480 interconnected via the proper- 
ty LAN 482, The csjstomer cofporate center 426 may 
fddtKS'sally include any number of eSienl computers to 
provide support for gaming terminal operation. 
[0142] The customer, or gamirtg proprietor, may ov^n 
one garnirig estabiishmerst having a few gaming lermi- 
nais, may own a targe casino network having thousands 
of gaming temiinais, or may own a gaming establish- 
ment sized somewhere between the two extremes. In 
the case of a large casino company such as Harrah's, 
it may be desirable to operate a customer conxorate 
center 426 to configure, coordinate, maintain, and mon- 
itor 3[l of the gaming devices associated with the large 
casino company. A iargs casino company may, for ex- 
ample, operate 30 casinos averaging 3000 gaming ter- 
minals per casino, in 14 different jurisdictions. In addi- 
tion, a state run gaming operation such as New York 
state's video lottery terminal network may also require 
a central function similarto that provided by the custom- 
er corporate center 428. The level of complexity of the 
customer corporate center 428 may vary, depending on 
numerous factors. 

[0143] In genera!, configuration, coordination, mair)- 
tenance, and monitoring operations perfon^ed by the 
custDmer corporate center 428 include, inter alia, knowl- 
edge and controi of what types of gaming temiinais are 
installed in the various casinos, which versions of gam- 
ing software are being run on the gaming terminals, 
which software gaming components make-up those ver- 
sions, what types of peripheral devices (e.g., bill valida- 
tors) are associated with the gaming terrrsinais, which 
version of a partlculartype of peripheral devices is being 
used, what version of peripheral software is being run 
on the peripheral devices, etc. Accordingly, the custom- 
er corporate server 478 performs the "master" casino 
floor management tasks associated with configuring. 



operating, maintaining, and monitoring the gaming de- 
vices operated by the customer. 
[0144] The customer license server 4B0 matntatns a 
database of all gaming license infonnation required by 
s the customer. This may include what licenses were pur- 
chased by the customer, what licenses have been re- 
voked, what garrting software is airrendy approved for 
iioerfsing, the locations of the licensed games, non- 
available but pending licenses, and ail other license in- 
?e formation and details. 

^14S] The customer data integrity server 478 is con- 
figured to maintain a cu.'-i-ent database of ail informatisn 
associated with approved, rejected, or withdrawn gam- 
ing software associated with its gaming terminals, in- 
fs eluding gaming software components, signatures for 
authentication purposes, etc. The customer data integ- 
rity server 476 is also configured to authenticate and 
verify gaming terminal software components in the cus- 
tomer's gaming terminais, and to coordinate the steps 
so necessary to shut down a gaming terminal that has been 
determined to be running unapproved or unauthentte 
software. Further, the customer data integrity ssrver47e 
is configured to collect revenue data from any the indi- 
vidual gaming teiminals operating within the netwoms 
maintained by the customer. For redundancy and fault 
tolerance reasons, some or all of the tasks performed 
by customer data Integrity server 476 may also be per- 
formed by any suitable servers in the customer corpo- 
rate center 426. 
30 [014€] As will be appreciated by those of ordinary skill 
in the art, there may be more or less servers provided 
in the customer corporate center 426, depending on the 
level of configuring, operating, maintaining, and moni- 
toring required. 

35 

Hid. Jurisdiction Data Center 

[0147] Some jurisdictions may require that a data 
center be located within their jurisdiction. For example, 

40 some ju risdtations such as New Jersey mandate that a 
jurisdbtion data center be maintained by the game pro- 
viders to oversee wide area gaming networks delivering 
progressive games. The jurisdiction data center may be 
required to gather gaming data, to track the configura- 

4S tion of gaming devices, to monitor compliances wSh ju- 
risdictional regulations, to query gaming devices such 
as servers and gaming temiinais, and to generally have 
an ability to provide rsai-time Infonrsatlon of the detailed 
secure gaming system 400 to a jurisdiction user. In ad- 

so drJon, the level of oversight required by each of the In- 
diyidualjurisdiction data centers may vary. For example, 
in New Jersey manual authantication of gaming soft- 
ware In each and every machine may be required, white 
In Nevada on?y spot-audit authentication of gaming soft- 

S3 ware/data may be required. In the way, the gaming reg- 
uiaiors in a particular jurisdiction can maintain oversight 
of gaming devices in its jurisdiction. 
{0148] A jurisdiction data Integrity server 487 within 
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tha jurisdiction data center 430 is configured to maintain 
a current database of all information associated with ap- 
proved, rejected, or withdrawn gaming software in the 

jurssdiclion, Including gaming software components, 
signatures for authentication purposes, etc. The juris- 
diction data Integrity server 487 may aiso be utilized to 
autiientlGate and verify gaming terminal software com- 
ponents approved lor use by gaming terminals in ih© 
particular jurisdiction, to coordinate ths steps necessary 
to shut down a gaming terminal that b&s beers deter- 
mined to be running jnapproved or unauthontic soft- 
ware, and to colied revenue data from any nUEY^ber of 
sources including the individual gaming terminais, the 
gaming terminal servers 436, 446, 456, the customer 
corporate c8r>ter(s) 426, and the game provider data 
center(s) 428. 

dji), Remote AuthenticBtion Routine 

[0149] For example, the jurisdiction data integrity 
server 487 may be configured to perform remote au- 
thentication of gaming software/data In a gaming tenni- 
nal located in the customern8tvsDrk420. F!G. 5 is afiow- 
chart of an authentication routine 500 that may be per- 
fonned by aservgrsuch as the Jurisdiction integrity serv- 
er 487. Although the authentication routine 500 is psr- 
fonned using the seed values and hashing techniques 
discussed above, any number of other suitable a-jthen- 
tication routines may be executed by the jurisdicttor! da- 
ta integrity server 487. 

[0150] Prior to beginning the authentication routine 
500, an approved gaming software/data component 
having an assigned program number is selected for au- 
thentication. The gaming tenrsinals having or receiving 
{via a downioad) the approved gaming software/data 
components are identified by their machine iD. After 
identifying the machine sDs and the program nun^bars, 
the jurisdiction data integrity server 487 authenticates 
the selected gaming software/data components using 
one of a number of authentication techniques, tn various 
embodiments. First, the Jurisdiction data integrity server 
487 selects (biocic 502) a seed value generated via a 
random number gerterator. The approved gannlng soft- 
ware/data component version selected for authentica- 
tion Is stored in its jurisdiction data Integrity server 487 
The seed value is appended (block 504) to the approved 
software component version to be authenticated The 
combination of the approved software component ver- 
sion and the appended seed value is manipulated via a 
cryptographic algorithm such as a SHA-1 algorithm to 
produce a first msssage digest (block 506). The addition 
of the randomly generated seed value prevents a would- 
be attacker (who managed to discover the message di- 
gest expected from the particular gaming software'data 
component) from manipulating the authentication proc- 
ess by deceiving the jurisdiction data integrity server 
487 Into believing that an unauthentic gaming software/ 
data component installed on the gaming terminal is au- 



thentic. The same seed value is transmitted or down- 
loaded (block 508) to the gaming terminaKs) whose 
gaming software/data components were selected for 
authentication. Secure transmission of the seed value 
5 may occur via the VPN 414 to the customer corporate 
center router 479, and via the VPN 412 to the identified 
gaming terminals. 

fQISij Upon r®:®ipt, the garrHng temrslna! performs a 
similar routine: ft appends the seed value to the corre- 
spending gaming software/data component (lilock 51 0), 
performs the same calculation to yield a second nnes- 
sage digest (block 512), and triers transmits the second 
message digest to the jtirisdiction data integrity server 
487. The jurisdiction data integrity server 487 compares 

IS (block 514) the received message digest calciilated by 
the gaming terrriinal (the second message digest) to the 
message digest it previously generated (the first mes- 
sage digest). A match between the first and second 
message digests indicates that the gaming soflware/da- 

so la component installed on the gaming tenT>lnal(s) is au- 
thentic (block 51 6). If the first and second message di- 
geste do not match, the gaming software/data Is not au- 
thentic (block 518) and the jurisdiction data integrity 
server 487 can execute the st^s necessary to take the 

25 gaming terminal out of service (block 520) using a suit- 
able fail-safe method. In thte way, in one embodiment, 
gsmingtermlna! software can be authenticated and con- 
troiled from a remote location such as the Jurisdiction 
data center. This method of authentication can be slm- 

30 iiariy executed by other gaming devices within the de- 
tailed secyre gaming system 40Q. Additional methods 
of authentication are described in United States Patent 
Application Serial No. 10/119,663, entitled "Gaming 
Software Authentication", naming Gadzic etal as inven- 

3S tors, filed April 10, 2002, and herein inco.?-porat8d by fsf- 
erence in its entirety. 

[01S2] Referring again to F!Gs. 4A and 4B, the juris- 
diction data center 430 nnay also include jurisdiction test 
lab 485 configured to test hardware and software as- 
40 pects of gaming temninals and gaming software/data 
components. In addltior\ to gaming temninals and serv- 
ers, the lab may include a variety of equipment and dl- 
agnostto tools for testing the gaming terminals and aa- 
sociatad gaming sofhware/data components. 

45 

lile. Game Provider Data Center Network 

[0153] In the illustrated example, the game provider 
data center network 428 includes an operation and 
55 maintenance (O&M) senfer484, a license server 486, a 
regional game server 4B3, a gtobal game server 490, 
and an accounting, autherstication, and authorization 
(AAA) server 492. As wlil be appreciated by those of or- 
dinary skill in the art, more or fewer servers, contoured 
ss in another arrangement, may be included in the game 
provKter data center network 428. Although not shown, 
the gear^ provider regional data center 428 may also 
include one or more client computers, for example, a 



ss 
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game ser»/ice management clseni used to access and 
manage a!! game provider services. 
[0154] As previously mentioned, the garne provider 
data center network 428 is ownsd and operated by or 
for a provider of casino gaming termlnais, associated 
gaming software, and gaming infrastructure, in genera!, 
the game provider regional data cenlej-428 milizes a 
VPN with a dierst-server arrangerrient to securely au- 
thorize, coordinate, enable, monitor, marsage, and/or 
administer the frwisf er of game software and associated 
other software (e.g., licenses) between and among the 
devices of the detailed secure gaming system 400, in 
one embodiment. 

[0155] The game provider data center network 428 
may be provided at the regional level (e.g., the wast re- 
gion including the areas of Oregon, California, Arizona, 
New fWexico, Colorado), at the corporate global level, or 
at multiple levels to provide the safety afforded by re- 
dundancy and single, double, etc., fault tolerance. 
[01S6] Within the game provider data center network 
428 of FIGs, 4A and 4B, the global game server 490 is 
configu.'Bd to maintair^ a corriplete database of at! game 
provider products distributed within the detailsd s^ure 
gaming system 400, in one embodiment. The database 
of game provider products may include data regarding 
both hardware ar^d software, their configurations, the 
status of their gaming software (approved, rejected by 
a jurisdiction, withdrawn from a jurisdiction and there- 
fore should not b& in the field), peripherals associated 
with its products, versions of the peripherals and their 
software (e.g., versions of biS validators and versions of 
bl!! validation software currently in the field), etc. In ad- 
dition, the complete database may be used for any 
number of purposes, for example, to determine whether 
a particuiar gaming device in the field requires a soft- 
ware download (e.g., based on its database, the gioba! 
game server 490 could determine which bill validators 
need to be updated with a current version of bill valida- 
tion software). 

[0157] The global game server 490 provides a root 
distribution point for game software Including handling 
secure downloading of game software to both game cli- 
ents (e.g., gaming temiinate 450, 452, etc.) and game 
servers (e.g., server 456), in one embodiment. Secure 
downloading of game software between the various 
gaming devices (i.e., between servers, or between a 
server and a g^ing terminal) requires ^proval by the 
AAA server 492. 

[01 58] The license S0rver486, which may be a region- 
ai-leve! server or a globai-levei server, is configured to 
handle the management and distribution of gaming ter- 
minal licenses to a customer(s). A gaming tem^inal li- 
cense allows a particular game in the fomi of game soft- 
ware to be downloaded to, and/or played on, one or 
more gaming terminals in the detailed secure gaming 
syslem 400. The license server 4BS also maintains da- 
tabase of significant license infomiation. This may in- 
clude what licensee were purchased by what custom- 



ers, what licenses have been revoked, what gaming 
software is currently approved for licensing, the foca- 
iions of the licensed games, non-avaiiable but pending 
licenses, and ail other license inforrriation and details. 
s The license server 486 may also be configured to per- 
form all actlvfties associated with game licensing. 
fOtsgj The AAA server 492 is configured to provide 
accountifig, authentication, and authorization functiorss 
for the game provider, in one embodiment. The account- 
's ing function provides an accounting capabiifty to the 
game provider for any games that the game provider 
has "on participation" (i.e., the game provider shares in 
the revenue generated by a game tenninal placed In a 
customer network) or was sold to a customer outright. 

?5 The accounting capability provided by the AAA server 
492 enables the game provider to account for and col- 
lect the revenues generated by the gaming terminal. In 
addition, accounting and/or other metrics information 
collected from the gaming terminals by the AAA server 

^0 492 also may be used to assist in the development of 
marlteting and sates strategies. For example, sjsing data 
mlrsing or other data correiation techniques, a game pro- 
vider may be able to determine the popularity of a par- 
ticular game based on the garnet revenue and direct 

25 its sale force, accordingiy. The AAA server 492 can also 
be used to aca>uot for and generate billing information 
associated with gaming license sales. 
[0160] The authentication function of the AAA server 
492 provides data integrity capability much iike the data 

3D integrity servers 476 and 487, described above. Thus, 
In one embodrme nt , the AAA server 492 mal ntai ns a cu r- 
rent database (master list) of all infoimatlon associated 
with approved, reiected, or withdrawn gaming software 
provided by the game provider, including gaming soft- 

3S ware components, Jurisdiction, signatures for auihentl- 
cation purposes, etc.; provides authentication and veri- 
fication capabiiity of gaming tenninal software compo- 
nents approved for use by gaming terminals; coordi- 
nates the steps necessary to shut down a gaming ter- 

40 minal that has been detennined to be mnntng unap- 
proved, unauthentic, or Illegal software; and collects 
revenue data from any number of sources including the 
individual gaming terminals, the gamirig terminal serv- 
ers 436, 446, 456, the customer coiporate eenter(s) 

45 426, and the game provider data center network(s) 428. 
The AAA server 492 may aiso be capable of ensuring 
that databases maintained by other servers in the gam- 
ing systerri network environment 400 are current, in one 
embodimefit. 

50 [0161] Although not shown, a separate data int^rity 
sers-er may be included in the game provider data center 
network 428 orthe functionality of the data integrity serv- 
er (discussed above) may be included in another server 
within the game provkler data center network 42B. 

ss [0162] The authorization function of the AAA server 
432 provides authorizatfon capability to the game pro- 
vider data center 428 for any number of gaming related 
activities, in one embodiment. For example, the AAA 
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server 492 may authorize or deny a gaming license re- 
quest from the customer corporate center 426 based on 
a number of factors such as general jurisdiction infor- 
mation (from the jurisdiction data center 430), whether 
the same associated with the gaming license has been 
approved for a particular jurisdiction (from the license 
se!ver48B), credit worthiness of the requesting custom- 
er (from the AAA server 492), etc. 

e^^_y Gaming Software Approval Routine 

[0163] FIG. 6 is a high level flowchart of an embodi- 
ment of a gaming software approval routina BOO that 
may be performed by one or more gaming devicss and 
the security elements of the secure garrtirsg system en- 
vironment 100 and/or the detailed secure gaming sys- 
tem 400. As will be appreciated by those of ordinary skill 
in the art, the steps of the gaming software approval rou- 
ting 600 may vary and may be executed in any number 
of the servers illustrated in FIG.4 or FIG.I , 
[01 84] Ones designed, complisd, and tested by a 
game provider, gaming software (e.g., software compo- 
nents for a slot game) reteins a static of "unapproved" 
until it has been reviewed, tested, and "accepted* by a 
jurisdiction regulator. In the illustrated example, the un- 
approved gaming software is maintained in the global 
game server 490. The unapproved gaming software Is 
forwarded (btock 602) from the global game server 490 
to the jurisdiction test lab 4B5 where lab testing and re- 
view is pertonned (biock 604) by jurisdiction regulatons. 
The lab testing may include verifying the gaming soft- 
ware, reviewing the pay tables associated with the gam- 
ing software, etc., In order to ensure that the gaming 
terminal compiles with Jurisdiction reguiallons and poli- 
cies. When approval is granted by the jurisdiction regu- 
iators, notification of the approval Is received by the glo- 
bal game server 480 (block 606). Upon notification of 
approval, the status of gaming software Is changed 
(bfock 606) from the unapproved state to an "approved" 
state, and an approval number is assigned to the gam- 
ingsoftware by the global genw6erver490. The approv- 
al number may come, from a jurisdictionai authority or 
it may come from an internally controlled approval da- 
tabase. The 'approved" status indicates that the game 
associated with the approved gaming software is ap- 
proved for use in the region represented by the jurisdic- 
tion data center 430. 

[01€5] Aft^the approval process is complete, licens- 
es a^QClated with the approved new game are made 
available for purchase to customerB in the jurisdiction, 
Typically, a separata license is required for every gam- 
ing terminal running the approved new game. The ap- 
proved gaining software may additionally be download- 
ed to the regional game server 483. 
[0166] A request to purchase a r!cense(s) for the ap- 
proved new game may come from the individual cus- 
tomer network 420, 422, 424 or the customer corporate 
center 426. The request may be made via a secure com- 



munication path such as the VPN 414. Upon payment 
(that may be delh/ered via the VPNs 41 2, 414), the re- 
quest for the license Is processed and accepted using 
suitable procedures (biock 61 0). Upon completion of the 
s purchase on behalf of the Individual customer networte 
420, 422, 424 or the customer corporate center 426, the 
approved new game is downloaded (biock 61 2) from the 
regional orglobai game servers 483, 490, either directly 
to the individual customer network servers 436, 446, 
456 for subsequent downloading to the gaming termi- 
nals, or to a server (e.g., customer data integrfty server 
476) in the customer corporate center 426, if delivered 
to the server in the customer corporate center 426, the 
approved new gams can subsequsntiy be downtoadsd 
^5 to a gaming terminat(s) anytime thereafter, depending 
on the needs of the customer networks 420, 422, 424. 
[0167] The operations and mainienance (O&M) serv- 
er 484 Is configured to provide operations, administra- 
tion, maintenance, and provteioning functions for desig- 
ns nated gaming devices and associated hwtiware/soft- 
ware of the detaiied secure gaming system 400, in one 
embodiment. The ieve! of operations, administration, 
and maintenance performed by the O&M server 484 
varies depending on cwnplsxrty of the detailed secure 
^ gaming system 400. For example, diagnostic tools pra- 
vlded by the O&M server 484 nrmy be enhanced by the 
addition of conresponding diagnostic tools in the gaming 
terniinals or in the gaming software. Tasks performed 
by the O&M server 484 may also be perfonned in other 
30 servei^ of the detailed secure gaming system 400 to en- 
sure redundancy, 

[0168] Although too riumerous to mention, some of 
tasks required for operations, administration, andmain- 
tersance functions by the O&f^i server 484 can include 

35 monitoring service data such as hopper empty indica- 
tora from gaming terminals, remotely diagnosing soft- 
ware and ha.'dware anomalies associated with the gam- 
ing devices, performing automated fixes to the gaming 
devices , automatically facilitating gaming device part or- 

40 derliig and delivery, coordinating and instructing individ- 
ual field opefatlon technfeians orcrsws, analyzir>g garrs- 
ing data to Identity recurring problems and patterns (i, 
6., data mining) in the gaming devices, responding to 
manual requests for operations and service, automating 

45 coordinating gaming software downloads, etc. 

[0169] A router 494 is provided to route gaming data 
from the game provider regional data center 428 to other 
devices within the detailed secure gaming system 400, 
and vice versa . 

50 

IV, GAMING TERMINAL 

[0170] Fig. 7 te a perspective view of one possible em- 
bodiment of a gaming terminal 750, The gaming termi- 
ss nal 750 may be any type of casino gam'mg terminal and 
may have varying stnuctures and methods of operation. 
For example, the gaming terminal 750 may be a me- 
chanical gaming temilnal configured to play mechanical 
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Slot, or it may be an eleotromeehantca! or video gasning 
terminal configured to play a video casino game such 
as bfackjack, slots, keno, poker, a video lottery game, 
any number of class il or class 11 1 games defined by tlie 
Indian GamlDg Regulatory Act (IRGA), and so on. For 
exemplary purposes, various elements of the gaming 
lerminal 750 are described below, but it shoiiSd be un- 
derstood that numerous othesr elements may exist and 
may be utilized m any nsjmber of combirjations to create 
a variety of gaming terminal types. 
[0171| Referring to Fig. 7, thecasino gaming termina! 
750 may include a cabinet 712 that includes a door 714 
on tiie front of the gaming terminal 750. The door 714 
provides access to the interior of the gaming terminal 
750. Attached to the door 714 ars audio speaker(s) 71 7 
and belly glass 71 6 that enable auditory and visual ef- 
fects to add to the excitennent of the gaming experience. 
For example, the audio speaker(s) 717 may generate 
audio representing sounds sudi as the noise of spinning 
slot machine reels, a dealer's voice, music, announce- 
ment or any other audio related to a casino game. Vis- 
ual effects, IfKiiudlngflashingorotherpattems displayed 
from lights behind the belly glass 71 8, may attract a play- 
er to the game and may enhance player excitement, 
[0172] Also attached to the door 71 4 are a number of 
valLie input devices {discussed below). The vaiue input 
devices may include a coin slot acceptor 720 or a note 
acceptor 722 to input value to the gaming tenminat 750. 
The note acceptor 722 may accept vaiue in any number 
of foHTiS, including currency or a currency-sized paper 
ticket voucher inscribed with information such as a bar 
code representing vaiue, the name of the casino, the 
date, etc, A value Input device may include any device 
that can accept value from a customer As used herein, 
the term 'Value* may encompass gaming tokens, coins, 
paper currency, tici^et vouchers, credit or debit cards, 
smart cards, and any other object representative of val- 
ue. 

[01 73] The gaming terminal 750 also includes a play- 
er tracldng area 723 having a card reader 724, a keypad 
725 and a display 726. As wrill be appreciated by those 
of ordinary skill in the art, the player tracking area 723 
may be located in any number of areas of the gatiing 
temilnal 750. The display 726 may be configured using 
a vacuum fluorescent dispiay (VFD), a ilquld crystal dis- 
play (LCD), and/or a touch screen, and may be used to 
display sirriple infonnation to a game player or casino 
employee. The card reader 724 may include any type 
of card reading device, such as a magnetic card reader, 
smart card reader or an optical card reader. The card 
reader 724 rr.ay be used to read data from a card (e.g. , 
a credit card, a player tracking card, or a smart card) 
offered by a player if provided for player tracking pur- 
poses, the card reader 724 may be used to read data 
from, and/or write data to, player tracking cards capable 
of storing data. Such data may include the identity of a 
player, the identity of a casino, the player's gaming hab- 
its, etc. Once gathered, the data may be "mined" (i.e., 



the data Is sorted to Identify pattems and establish re- 
lationships) for any number of purposes Incfuding ad- 
ministering player awards, distinguishing player prefer- 
ences and habits, accounting, etc. 

s [0174] The card reader 724 may also be used by ca- 
sino personnel (e.g., a slot technician) to gain access to 
the gaming tem-ilnai in order to perform tasi^s such as 
coin GOilection, hopper fiiSing, etc. in thai case, the casi- 
no employee may also be required to enter an identify- 

to ing code, for example a PIN number, via the keypad 725. 
The keypad may also be used by the casino employee 
to enter additional information regardifig the task. \r, this 
way, access to the interior of the gaming terminal 750 is 
restricted. 

is [0175] If provided on the gaming terminal 750, aticket 
printer 729 may be used to print or otherwrise encode 
ticket vouchers 730 with the casino name, the type of 
ticket voucher, a validation number, a barcode with con- 
trol and/or security data, the date and time of issuance 

20 of the tfcket voucher, redemption instructions and re- 
strictions, a description of an award, and/or any other 
information that may be necessary or desirable. A vari- 
ety of types of ticket vouchers 730 could be used, such 
as casino chip ticket vouchers, cash-redemption ticket 

2S vouchers, bonus ticket vouchers, extra game play ticket 
vouchers, merchandise ticket vouchers, restaurant tick- 
et vouchers, show ticket voijchers, etc. 
[0176] The gaming terrrsina! 750 rriay also inclLide a 
video dispiay 731 for displsyirsg images relating to the 

30 game or games provided by the gaming unit 750, and 
an infonnation table fnot shown) viewable through the 
door 714, The video display 731 may be a cathode ray 
tube (CRT), a high resolution LCD including an 
LCD-TFT dtepi^, a plasma display, or any other type of 

35 video display suitable for use in a gaming ienninal. The 
video display 731 may be configured to provide anima- 
tion, 2-D or 3-D images, digital video playback, and or 
any number of other suit^le display. The informatton 
table typically includes general game information such 

40 as game denominations (e.g., $0.25, $1 , $5) and payline 
options , In the alternative, the gaming temnlnal 750 may 
also include a number of medianteal reels and an infor- 
mation tabie(not shown) viewable through the door714. 
[0177] The gaming tfiiminal 750 may also include a 

45 box top 734 configured to intensify player excitement 
through the use of additional speaksr(s) 736, a bonus 
video display screen 738, and an optionaf microphone 
(not shown) and camera {not shown). The bonus video 
dispiay screen 738, configured as a backllt silk screen 

50 panei, an LCD screen, or a video monitor, can enable a 
number of game erihancements such as bonus games, 
Eoumament games, progressive jacl^ot games, etc, In 
addition, a tower light or candle 742 mounted atop the 
gaming terminal 750 may be included to provide a quick 

ss visual indication of the status of the gaming tenninal 
750. The candle 742 can have any number of configu- 
ratk>ns and purposes. For example, the candle 742 may 
be constructed as a clear tube structure containing a va- 
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riety of staggered color inserts, which when iiiuminated 
In predetermined patterns, Indicates a status of the gam- 
ing terminai 750 to a. piayer (e.g., money denomination 
indicator, jackpot winner Indicator} or to casino person- 
nel (e.g., maintenance problem). The candle 742 may 
also pro\nc$e a location for additional peripheral devices. 
[01781 The gaming terminal 7S0 may also Indudes a 
piayer control panel 744. The player control panel 744 
may be provided with a number of pushbi^ons ortouch- 
sensltive areas (I e., touch screen) that may be pressed 
by a player to select games, make wagers, make gam- 
ing decisions, etc. As used herein, ths term "button" is 
Intended to enoompass any device that allows a piayer 
to rmk& an input, such as a mechanical input device 
that must be depressed to mal<e an input selection or a 
display area that a player may simply touch . The n umber 
of pushbuttons may inciude one or more "Bet" buttons 
for wagering, a "Max Bef button for making the maKl- 
mum wager allowable for the ga.'ne, a "Piay" button for 
beginning pay, a "Repeat" button for repeating the pre- 
vious wagering selection, a "Collect" buttor^fortermlnat- 
Ing play and cashing out of the game, a "Help" button 
for viewing a help screen, a "Pay Table" button for view- 
ing the pay tables, a "See Pays" button for causing the 
video display 731 to generate one or more display 
screens showing the odds or payout tnfomfiatfon for the 
game or games provided by the gaming terminal 750, 
and a "Call Mendanr button for calling an attendant. In 
addition, if the gaming terminal 750 provides a slot game 
having a plurality of reels (video or electro-mechanical), 
the player control panel 744 may be provided with a 
number of wager selection buttons, each of whicfi allows 
a player to specify a wager amount for each pay line 
selected {via selecting multiple amounts of the smallest 
wager accepted), Additionai game specific buttoris may 
also be provided on the player control panel 744 orelse- 
where on the gaming terminal 750 to facilitate play of a 
specific game executing on the gaming terminal 750. 
[0179J if the gaming terminal 750 is configured as a 
mechanical slot ganne having a number of roels and a 
number of selectable pay lines which define winning 
combinations of reel symbols, the control panel 744 also 
includes a number of selection buttons. The selection 
buttons allow the player to select one of a number of 
po&sible of pay lines prior to spinning the reels. For ex- 
ample, five selection buttons may be provided to allow 
a player to select between one, three, five, seven or nine 
pay lines prior to each reel spin. 

[01 80] As will be understood by those of ordinary skill 
in ths art, the term "control panel" should not be con- 
strued to imply that a panel separata from the housing 
712 of the gaming tenrinal 750 Is required, andtheterm 
"control panel" may encompass a plurality or grouping 
of player activatabi© buttons, Further, although the con- 
trol panel 744 is shown to be separate from the video 
display 731, it should be understood that the control 
panel 744 could be generated by the video display 731 
as a touch-sensitive screen. 



[0181] Although not separately illustrated, the gaming 
temiinal 750 includes a number of universal asynchro- 
nous receiver/transmitter ports to facilitate the addition 
of auxiliary components such as the ticket printer, the 

s touchscreen, the bill validator, etc. Universal asynchro- 
nous receiver/transmitter ports may also be included on 
gaming terminal 750 to enable progressive jackpot ca- 
pability, diagnostic capabllily, jurisdiction system capa- 
bility, server system capability, etc, 

10 [0182] FIG. 8 is a flowchart of an embodiment of a 
main routine 800 that may be perfonned during opera- 
tion of one or more of the gaming termir>ais of FIG. 1 
and F!G 4. Ths main routine 800 may be stored in one 
or mors of the memories of the controller 200, or it may 

?5 be stored remotely outside of the gaming terminal 750. 
[01S3] Referring to F!G 8, the main operating routine 
800 may begin operation when the controller 200 de- 
tects a value inputfrom a game player (block 802). The 
controller 200 may detect ths value input In any number 

20 of ways. For exarrple, the controller 200 may detect the 
value input if the player deposited one or more coins, 
paper currency, a card, or a voucher into the gaming 
termifiai 750, Altemafivety, the controller 200 may sim- 
ply detect a player In the vicinity of the gaming terminal 
750, either by well known detection methods (e g, , mo- 
tion detectors, IR sensors) or bythe player pressing any 
button on the gaming tenninal 750, and respond accord- 
ingly. 

[0184] Upon detection of the value Input, the gaming 
30 tenninal 750 may terminate Its attraction sequence (i.e., 
a visual and/or audb display designed to attract a player 

to that particular gaming temiinal), If provided, and dis- 
play a base game list generated (bSook 804) by the con- 
troller 200. Ths base gams list allows the player to view 

3s and select from among games available for piay on the 
gamirig terminal 750. In addition, the controller 200 may 
also display piayer instructions, odds of winning, etc., to 
the piayer. Altsrnatlvsfy, in the case of a single-game 
machine such as a mechanicat slot game, upon detec- 

^0 tion ofthe value iPipiit, the gamrngterminalTSOmaygen- 
erats only a single-gams routine. 
[013S] Upon base game selection by the piayer (block 
806), the co.ntrolier 200 causes one of the number of 
base game routines to be performed to allow game f^ay 

4S (block 808). For example, the base game routlr«es could 
include a video slot routine, a video poker routine, a vid- 
eo blackjack routine, a video bingo routine, a video keno 
routine, etc. Upon winning the bass game, the controller 
may dispense credit to the player. !f no base game se- 

so lection is made by the player within a predetennined 
time period, the gaming terminsri 750 may revert back 
to the beginning of the main routine 800 and, opttonalty, 
display an attraction sequence. 
[0 1 88} After o ne of the b ase game ro utines (e.g., vid- 

55 eo slot routine, a video poker routine, a video blackjack 
routine, a video bingo routine, a video keno routine, etc.) 
has been performed to allow base game play, the con- 
troilaraoo detemilnes if the player is entitled to an award 
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and/or a bonus game play award (block 810). If an 
award Is due, the controller 200 dispenses credit to the 
player as discussed above in connection with FIG. 7. 
[0187] The bonus game play award may include pro- 
viding specialty games such as Hollywood Squares, 
Reel 'Em In, Monopoly etc., of may InclLtde providing 
free additional bass game play, for example, free spins 
in the case of a slot game. Awarding bonus game play 
is typically triggered by one of a number of predeter- 
mined results such as player winning via a particular 
combination of reel sj^bois, selecting a particular sym- 
boi, etc. If the controller 200 determines that the player 
is entitled to bonus game play, the eorttroller 200 ena- 
bfss bonus game play (block 812). 
[01 8S] Upon completion of the bonus game play by 
the player, the controller 200 determines (block 814) 
whether the player wishes to continue play (via selecting 
the "Repeaf button) or wishes to terminate the game 
and cash out (via selecting the "Collect" button). !f the 
player selects to tanninate tfie game arjd has a credit 
balance, the controSier 200 may di^nse (blod< 816) 
the credit balance to the player In any number of forms 
discussed above fn connection with FIG. 7. If the player 
wishes to continue, the controller 200 may again gener- 
ate the base game selection display, enable base game 
option selections, or in Jhe case of a singie-game ma- 
chine, may enable the player to select the appropriate 
game parameters. 

[01 S9] if the cont'-oiler 200 deterTnines that the player 
is not entitled to bonus game play, It enables additional 
base game play for the player as discussed above. If 
the player does not want to coniinue play, the controller 
200 also enables a cash-out pption (block 816) to dis- 
pense remaining credit to the player. 

Slots: 

[019D| FIG. 9 is an exemplary visual display 900 that 
may be displayed on the video display 731 during per- 
formance of a slot routine, in the Illustrated example, the 
exemplary visuaf display 900 include video images 902 
of five slot machine reels, each of the ftve reels having 
a number of reel symbols 904 disposed thereon. Al- 
though the exemplary visual display 900 shows five reel 
images with three reel syrrtsols visible per reel, other 
reel configurations may be utilized. 
[01S1] The exemplary visual display 900 also i.i- 
cludes a number of buttons to enable slot game play by 
a piayer. In the Hlustrated example, selection of a 'Col- 
lect" button 914 allows the player to collect winnings at 
the completion of the slot game; selection of the "Pay 
Table" button 91 6 allows the piayerto view the pay tabie 
associated with the slot game; selection of the "Select 
Lines" button 91 7 allows tiie piayerto select the number 
of line to be bet; selection of the "Bet Per Line" button 
918 allows the piayerto change the amoLtn! of credits 
bet on each line; selection of the "Spin Reels" button 
920 allows the piayerto spin the reel Iniages 902; se- 



lection of the 'Max Bet Spin" button 922 allows the piay- 
erto bet maximum credits instantly. A "Help" button may 
also be included to allow the piayerto get instruction on 

the slot game play, 

s [0192] FIG. 10 is a flowchart of an embodiment of the 
slot routine 1 000 that may be performgd by one or more 
of the gaming tsnrsinals. The slot routine 1000 may be 
stored In one or more of the memories of the controller 
2O0, or it may be stored remotely outside of the gaming 

10 terminals 22. For example, the siot routine 1 000 may be 
stored In the server 28, 

[01§3| Refemng to FIG. 10, the slot routine 1000 may 
begin operation when the controller 200 detects a value 
inpift from a game piayer (block 1002). The controller 

IS 200 delects the value input if a player deposited one or 
more coins, paper currency, a card, or a voucher into 
the gaming terminal 22. Upon detection of the value in- 
put, the controller 200 enables a base game to be 
played. In the illustrated exampie, the base game com- 

^ prises a slot game. However, the base game may also 
comprise any number of other "tradftionai" casino 
games such as video poker, video blackjack, video 
keno, video bingo, videb pachinko, video lottery, etc, as 
discussed In connection with FIG. 8. 

2S [0194] After value input detection, the controller 200 
enables a payline selection (block 1004} and a bet-per- 
payline selection (block 1006) as follows. First, the piay- 
er may either depress a button such as a "Select Lines" 
pushbutton provided on the on the player control panel 

30 744 to make a payline selection or depress a video dis- 
play button provided by a touch screen on the gaming 
terminal 22. The payline selection causes one or more 
payiines to be activated. For example, m the illustrated 
example, the player may select 3 horlK)ntai payiines, a 

ss "V" shaped payiine, an inverted "V" sh^ed payline, etc. 
across 5 reels. Second, the piayer may either depress 
a button such as a "Bet Per Line" pushbutton provided 
on the player control panel 744 to make a bet per payline 
selactk>n or depress a button provided by a touch screen 

40 on the gaming tenninai 22. The bet-per-payllne selec- 
tion oaueee an amount per payline to be wagered with 
the total wager divided equally between each selected 
payline. In addition, the controller 200 enables the piay- 
erto select a maxim urn bet (via a "Max Bet Spin" button). 

45 Thus, the player may chose maximum bet option caus- 
ing maximum payiine seiection and maximum credits 
(block 1010) rather than the payline selection (block 
1 004) and the bet per payline seleclton (block 1 QG6}. 
[0195] After receiving the value Input and detecting a 

so payline and bet-per-payiine, the controller 200 enables 
play of the base game (block 1 008). For exampie, in the 
Illustrated example, the piayer may spin the reels by de- 
pressing a button such as a "Spin Reeis" pushbutton 
provided on the on the player control panel 744 or de- 

ss pressing a video display button provided by a touch 
screen on the gaming terminal 22. Alterrtaliveiy, if the 
slot game is a mechanical slot game comprising a 
number of mechanical reels having reels symbols dis- 
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posed thereon, the player may puli a handie provided 
on the gaming terminal 22 to initiate the reel spin. 
[0196] Upon completion of the base game, the con- 
troller 200 deterrranes whether the piayer.has won 
(bSock 1 01 2) . A paytabie, typscaily dispiayed on the gam- 
ing terminal 22, displays the winning combinations of 
reei symbols, if the player has won, the conlrolier 200 
credits the piayert vaiue input based on the paySines 
and the bet-per-paylins selected (bloc!( 1014). If the 
controller 200 determines that the player has not won, 
the gaming terminal 22 enables additional slot ganne 
piay for the player {b!i5o!< 1 024), The controller 200 also 
enables a cash-out option {block 1026) via a cash-out 
button, for example, a "Collect" button provided on the 
gaming terminal 22. Upon selection of the cash-out but- 
ton, the gaming terminal dispenses value (block 1028) 
to the player. The value may be dispensed as coins, pa- 
per currency, a credit on a card, or a voucher indicating 
credit. 

10197] In some cases, the controlt^' 200 determines 
that the player Is entitled to an option^ bonus game 
award (biocic 1016) and enables bonus game play 
(block 1018). if the controlter 200 determines that the 
player is not entitled to bonus game play, it enables ad- 
ditional slot gasTi© play for the player (block 1 024). The 
player may then play again If value input remains (block 
1002) or, sf no value input remains, the player may de- 
posit additional value input. If additional siot game play 
is not desired, a cash-out option (block 1026) via the 
cash-out button is available to the player. Upon selection 
of the cash-out button, the gaming terminal dispenses 
value (biock 1028) to the player 
[0198] Upon completion of the bonus gamg (block 
101B), thecontrolieraoo detenmines whether the player 
has won (biodt 1020). if the player has won, the con- 
troller 200 credits the player's value input based on a 
bonus game paytabie (block 1 022). If the controller 200 
determines that the player has not won, the gaming ter- 
minal 22 enables additional slot game play forthe player 
(block 1024). If additional slot game play is not desired, 
a cash-out option (block 1 026) via the cash-out button 
is available to the player. Upon selection of the cash-out 
bulfton, the gaming terminal dispenses value (block 
1028) to the player 

[Q199] As may be apparent fram the discussion 
above, embodiments of the present invention provide 
sscijrily methods and apparatus for a secure gamirsg 
system environment. The security methods and appa- 
ratus are configured in a layered fash ion, in oneembod- 
iment, as d^cribed above to ensure software, hard- 
ware, and firmware integrity of the gaming devices, se- 
curity elements and associated commiinicatlon net- 
works of the secure gaming system er^vironment, 
[Q2Q0] The security methods and apparatus utilize a 
combination of perimeter defenses, in one embodiment, 
such as firewalls, anti-virus software and anti-virus 
scanners; two factor auttientteation; authentfeation of 
gaming software/data before and after instaliation in- 



cluding "on demand" authsntksation; authentication, au- 
thorization, and accounting of the gaming sessions; da- 
ta integrity assurance of designated software files in 
designated gaming devices in the secure gaming sys- 

5 tern envlroriment including gaming devices at the mt- 
work ievel, the server level and the gaming terminal lev- 
el; gaming software vuinerabiiity assessment (VA); net- 
work VA using network-based scanners and host-based 
scanners; security information management including 

10 security policy Implementation, security teams, security 
reports, Incident response, etc.. and network-based and 
host-based proactive and reactive intrusion detection 
(ID) systems, 

[0201] Forexample, the secure gaming apparatus24, 
fs 30 provides access control at the network level that en- 
ables secure communication between and among the 
gaming devtees. Access control provided by the secure 
gaming appanatus 24, 30 is enabled via one or more of 
VPN appteatlon software, firewalls, VPN tunneling pro- 
20 tocols, and cryptographic methods/protocols, in one 
embodiment. The aca;ess control apparatus 25. 34 pro- 
vides access control and authorization detennination at 
the gaming device level. Access control to the gaming 
devices including software, peripherals, memory, etc. is 
ss enabled via access restriction methods provided by the 
access control apparatus 25, 34, in one embodiment. 
The access restriction methods ir5clude, in one embod- 
iment, gaming device specific firewalls, usemames and 
passwords, biometric identifiers, access tokens, time- 
30 based access, and cfyptographic methods/protocols. 
[0202] The Integrity apparatus 26, 32 provides access 
control at both ihB network and g^ing device levels, In 
one embodiment, to ensure integrity, authentication, 
and non-repudiation of gaming software programs re- 
3s celved or residing gaming software/data. Access control 
to the gaming devKes Including software, peripherals, 
memory, etc. by the integrity apparatus 26, 32 is ena- 
bled, in one embodiment, using one or more individual 
authentication protocols, for exanrple, MACs, one-way 
40 hash algorithms, public-key cryptography (PKI), digital 
signature schemes or cods signing, symmetric encryp- 
tion, session keys, and random number generators, to 
name a few. Other advantages of the inventive subject 
matt^ may be further apparent to those of skill in the art. 
•*5 [0203} The va.dous procedures describsd herein can 
be implemented in hardware, firmware or software. A 
software impiementation can use microcode, assembly 
language code, or a higher-level language code. The 
code may be stored on one or mors volatile or non-vol- 
so atile oOTTputer-readable media during execution or at 
other times. These computer-readable media may In- 
clude hard disks, removable magnetic disks, removable 
optical disks, magnetic cassettes, flash merriory cards, 
digital video disks, Bernoulli caftridgas, RAMs, ROMs, 
ss and the like. Accordingly, a computer-readable .nedium, 
includingthose listed above, may store program irsstriic- 
tlons thereon to perform a method, which when execut- 
ed within an electronk: device, result in embodiments of 
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the irtventive subject rnaRsr to be carried out. 
[0204] From the foregoing, ft wii! be observed that nu- 
merous variations and moditicaiions may be affected 
without departing from the scope of the novei concept 
of the irivenrive subject matter, it is to b© understood that 
no iirrsitalions with respect to the specific msthods and 
apparatus iiiustrafec! herein is intended or shouid be in- 
ferred. !t is, of course, Intended to cover by the upend- 
ed ciaims ail such modifications as fail within the scope 
of the claims. 



1 . A method comprising: 

a game server receiving a request, over a com- 
munlcation networl(, from a requestor for a li- 
cense to use an approved gaming software pro- 
gram; 

receiving an indeation of payment for the ii- 
csnse; and 

downloading the appnsved gaming software 
program to the requestor in response to the in- 
dication of payment. 

2, The method of claim 1 , wherein the request is re- 
ce ived over a secu re commu n Icaition path with in the 



communication network, 



The method of claim 2, wherein the secure commu- 
nication path is a virtual private network. 



The method of claim 1 , wherein the requestor Is a 

second game server the method further comprfe- 



subsequently downtoading the approved gam- 
ing software program to one or more gaming 
temiinais. 

5. The method of claim 4, wherein subsequently 
downloadir^g comprises: 

the second game server aiithenticating the one 
or more gaming terminals; 
the second game server encrypting the ap- 
proved gaming software program; and 
the second game server transmitting the ap- 
proved gaming software program over the com- 
munication networl<. 

6. The method of claim 1 , further canprising; 

fonwarding unapproved gaming software to a 
lab, the lab configured to test conpliance of the 
unapproved gaming software with a plurality of 
regulations; 



receiving a notification of approval of the unap- 
proved gaming software from the lab, the noti- 
f icattor. of approval indicating compiiance of the 
un^proved gaming softss/are with the plurality 
of regulations; and 

changing a status of the unapproved gaming 
software to foriTi ttse approved gaming soft- 



7. A method comprising: 

receiving a notification of approval of unap- 
proved gaming software, over a communica- 
tion network, the notification of approval indi- 
cating compliance of the un^proved gaming 
software with a pluratily of regulations; and 
changing a staUis of the unapproved gaming 
software to form approved gaming software. 

8. The method of claim 7, further comprising: 

forwarding the un^proved gaming software 
over the communication network to a i^, the 
lab configured to test compliance of the unap- 
proved gaming software wtth the plurality of 
regtiiaiions, 

9. The method of claim 7, further comprising: 

the game server receiving a request, over a 
communication network, from a requestor for a 
license to use the approved gaming software; 
receiving an Indication ofpayment for the li- 
cense; and 

downloading the approved g^ing software to 
the requestor In response to the indication of 
payment. 

10. A method comprfeing: 

receiving unapproved gaming software by a 
game sender of a secure gaming system; 
tonvarding, using one of a plurality ol secure 
communication linlcs within a communication 
network, the unapproved gaming software to a 
Jurisdictlor^ lab of the secure gaming system, 
the jurisdiction lab configured to test compli- 
ance of the unapproved gaming software with 
a plurality of jurisdiction regulatiorss and poli- 
cies; 

receiving a notification of approval of the unap- 
proved gaming software from the jurisdk;tion 
lab, the notification of approval indicating com- 
pliance of the unapproved gaming software 
with the plurality of jurisdiction regulations and 
policies; 

changing a status of the unapproved gaming 
software to form approved gaming software, 
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the approved gaming software having an ap- 
proval identifier; 

receiving a request to purchase a iicense for 
the ^proved gaming software, the itcense en- 
titiing a hoider of the license to use the ap- 

pro\red gaming software; and 
torwardlng, using another of the piuraiity of sb- 
cure commiinication links, the approved gam- 
ing software to a gaming device of the secure 
gaming system upon receipt of a paynrsent for 
the licenso, the gaming device owned by the 
holder of the license. 

11. The method of claim 10, wherein the unapproved 
gaming software comprises gaming software com- 
piled and tested by a game provider 

12. The method of ciaim 10, wherein each of the plural- 
ity of secure communication links includes one or 
more security elements sel«;ted from a group of se- 
curity elements ttiaf includes a virtual private rset- 
work plication software, a vriual private network 
tunneling protocol software, a firewall, a dedicated 
communication link, and a cryptographfc protocol. 

13. The method of claim 12, wherein the cryptographic 
protocol is selected from a group of protocols that 
includes a message authentication code protocol, 
a one-way hash protocol, a publto-key cryptography 
protocol, a digital signature protocol, a symmetric 
encryption protocol, and a random number gener- 
ator protocol. 

14. A gaming system comprising: 

a first server, that receives a request, over a 
commuriication network, from a requestor for a 
Itcense to use an approved gaming software 
program, receives an indication of payment for 
the license, and download the approved gam- 
ing software program to the requestor in re- 
sponse to the indication of payment, 

15. The gaming system of claim 14, further comprising: 

a second server, as the requestor, which Is 
communicatively coupled to the first server 
over the communication network, wherein the 
second server subsequently downloads the ap- 
proved gmlng software program to one or 
more gaming terminals. 

16. The gaming system of claim 14, further comprising: 



17. A computer-readable medium having program in- 
structions stored thereon to perform a method, 
which when executed within an electronic device, 
result In: 

s 

a ganrte server receiving a request, over a com- 
rnunication network, from a requestor for a li- 
cense to use an approved gamirig software pro- 
gram; 

fo receiving an indication of paymerif for the li- 

cense; and 

downicading the approved gami.ig software 
program to the rsqusstor in response to !he in- 
dication of payment. 

IS 

18. A computer-rsadable medium having program in- 
structions stored thereon to perfonm a method, 
which when executed within an eiectrorvic device, 

result in: 

20 

receiving a notification of approval of unap- 
proved gaming software, over a communica- 
tion network, the notification of approval indi- 
cating compliance of the unapproved gaming 
ss software with a plurality of regulations; and 

changing a status of the unapproved gaming 
software to form approved gaming software. 

19. Thecomputar-readabie medium of claim 1 8, where- 
30 In perfomifng the method further results in: 

forwarding the unapproved gaming software 
over the communication network to a lab, the 
lab configured to test compliance of the unap- 
■35 proved gaming software with ihe piuraiity of 

regulations. 

20. ThscDmputer-read^le medium of claim 1 S, where- 
in performing the method further results in: 

receiving a request, over the communication 
network, from a requestor for a license to use 
the approved gaming software; 
receiving an indication of payment for the 11- 
*s cense; and 

downloading the approved gaming software to 
the requestor In response to the indicalion of 
payment. 

so 



one or more gaming terminals, which ultimately 
receive and execute the approved gaming soft- 
ware. 
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A gaming software distribution network in 


a gaming system environment 



(57) in one embodlmsnt, a secure gaming system 
includes at least one gaming terminal and at least one 
gaming system sewer. The termlnat(s) and server<s) 
communicate over aoommunication network. In one em- 
bodiment, 8 server forwards unapproved gaming soft- 
ware over the communication network to a lab, where 
the lab is configured to test compiiance of the unapproved 
gamlngsoftware with a plurality of regulations. The serv- 
er receives a notification of approval of the unapproved 



gaming software, where the notification of approval indi- 
cates comptence of the unapproved gaming software 
mlh ths plurarrty of regulations. The server changes the 
status of the unapproved gaming software to fomn ap- 
proved gaming software. When the server racelvss a re- 
quest for a license to use the approved gaming software, 
along with an indication of payment for the license, the 
server downloads the approved gaming software to the 
requestor. 
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